September 11, 2013

Lookout’s Take on Fingerprint Passcodes

Apple’s iPhone 5S announcement has everyone asking: will a simple touch of your fingerprint end the days of manually entering a passcode on your device? Probably not. But fingerprint technology is full of exciting promise for mobile security: if implemented correctly, it has the potential to usher in a new generation of secure mobile services.

Long rumored, the new 5S will have a “Touch ID” fingerprint technology built into the home button that will give users the ability to unlock the device with their fingerprint. Fingerprint technology is a great way for passcode-wary consumers to get a dose of security: just over half of people say they use a passcode on their phone today; and of those that don’t use a passcode, many say it’s because it’s inconvenient. With phone theft and loss huge threats to the privacy of your device, setting a passcode is critical. Fingerprint technology helps marry security and convenience, giving people a natural way to build device security into their life.

All technologies have weaknesses, and fingerprint-based biometrics is no different. One serious risk is that fingerprints can be lifted and duplicated. While we can expect the fingerprint scanner in Apple’s latest device to use the most advanced defenses to protect against these types of attack, it’s good to keep in mind that this technology has been circumvented before and is likely to be challenged again.

Despite potential weaknesses, fingerprint-based biometrics offer undoubted opportunities for improved security. Our fingerprints are always with us, and no matter how efficient attacker technology becomes, there will always be a cost in terms of complexity, time and materials for an attacker to duplicate them. By understanding and accounting for the limitations of fingerprint-based biometric security, we can embrace the benefits using it to both enhance mobile device physical security and lay the foundation that could allow us to architect a new generation of secure mobile services.

How should fingerprint technology be implemented? While fingerprint security alone shouldn’t be considered sufficient for high security situations, using it as part of “two factor” security where you enhance the fingerprint with an additional security barrier such as a passphrase or pin code will create strong protection that is suitable for even some of the most delicate or risky situations. This is potentially great news for enterprises concerned about the likelihood of corporate data ending up on smartphones as part of BYOD. If you require two factor authentication using the fingerprint and a strong passphrase when the devices is powered up or the first time it is used after a defined period of inactivity you create a level of protection that outstrips what most laptops or desktop PC’s are capable of offering. It could be great news for financial institutions, too, as two factor authentication using biometric information has long been seen as one of the strongest lines of defense against phishing attacks. By allowing developers to leverage this technology as they build applications, Apple could empower developers to create a new generation of secure yet convenient-to-use mobile services.

The road ahead won’t be free of challenges. Apple has already overcome one major risk by stating that biometric data will only be stored on the user’s device so as to avoid creating a cloud service that hosts millions of user’s biometric identities, something that would be an irresistible target for both cyber criminals and state sponsored hackers. Now the company will face a second challenge: ensuring that user data is adequately protected on the device itself so that it is secure in the event a device gets stolen. Apple will also have to ensure that a rogue developer cannot use this technology in order to harvest biometric identities as people play their latest innocuous-looking game.

The success or failure of fingerprint technology on the iPhone hinges on its implementation – if incorporated correctly, fingerprint security could change the way we look at mobile security; If implemented poorly or made too cumbersome for users, it’s likely to end up a quickly forgotten feature.

Only time, and the launch of Apple’s new iPhone, will tell us for sure.

  1. Mack K says:

    No mention of the elephant in the room?
    How will mobile device makers keep our fingerprints out of the hands of the NSA?

  2. Ricardo says:

    “While we can expect the fingerprint scanner in Apple’s latest device to use the most advanced defenses to protect against these types of attack…”

    I think you can do more than expect it. If you read the Authentec patents (now Apple’s patents since they bought Authentec a year ago) and listen to what Apple says, they certainly are using the most advanced defenses. The sensor detects subtle changes in conductivity in the ridges and valleys beneath the outer layer of skin, so lifting a print and making a photocopy just won’t work. Also, making a mold of a finger with biological gel, one would still have to engineer a way to alter the conductivity of the gel to correspond to the ridges and valleys. That would be one tough nut to crack.

    “Now the company will face a second challenge: ensuring that user data is adequately protected on the device itself so that it is secure in the event a device gets stolen.”

    Again, if you listen to point blank statements from Apple, the data is in no way accessible to anyone. Key characteristics of the recorded fingerprint is first encrypted then stored in a region of nonvolatile memory internal to the A7 processor chip. (The fingerprint image is never recorded anywhere.) There is no “read” capability for this region. Once there, all that can be done with it is to submit another fingerprint to the A7 and it’s internal processing will return a match or no-match result. The software for this function is not in RAM or flash, it’s internal to the A7, so the verification code just isn’t available for hacking.

    Now, I read somewhere that quoted you as saying that criminals have already cut off someone’s finger when they stole a phone, to use on its fingerprint reader. Would you mind revealing the source of this info?

  3. Vishal Verma says:

    Fingerprint sensor is actually a poor choice for Apple to implement at this point, given that Android phone(s) tried it and settled on Face Unlock, and the timing can’t be worse – there are enough NSA jokes on the Internet to fill a few volumes.

    Fingerprint sensors add to COGS without increasing utility beyond ID (not available to developers on iPhone), increase complexity, and don’t earn you THAT much in terms of security. On top of that you have to manage people’s expectations, and explain how the devices are using/storing the data.

    Face Unlock is insecure too, even with the blinking requirement turned on. But, at least it does it without adding new hardware.

    The baseline – multifactor authentication is still key. May be, there’s a way to for Lookout to warn the user if they have insecure unlock settings.

  4. Serge Chassagne says:

    Bonjour messieurs, voilà, je ne comprends pas ce qu’il se passe avec mon application lookout antivirus, je reçois tous les jours une mise à jour de lookout, et je ne peux pas la mettre à jour, j’ai un message qui me dit alors que l’aplication est déjà existante… je n’ose pas réinstaller l’aplication car j’ai payé la version complète de lookout. Que puis-je faire pour mettre à jour mon application? Merci de me répondre. A bientôt.

  5. Vancouver Security says:

    I like this new feature on iPhone 5. I hope they will soon fix all the problems related to this new technology, that may really be useful for the users.

  6. majanjean says:

    I lost my phone and but I have look out downloaded but not set up. It seems as though the phone fail some where and is on silent but I cannot remember where. Is there anything that can be done remotely to somehow activated it on the phone in order to located. Please let me know thank you

  7. I think we do need to eliminate the need for passwords. However. The manner of fingerprint ID Proof would be ultimately a vauge or extreme underlying discomfort of having accomplished an Orwellian type society after all.

  8. Help. I cannot use my cell phone because I DONT have a passcode. This just started yesterday. I cant reach you be phone and I am very upset. My husband is sick in the hospital and I must be able to receive and make phone calls.

    • Meghan Kelly says:

      Hi Maureen, I’m sorry to hear you’re having trouble accessing your phone. I’d bring your phone into your carrier to see if they can help you troubleshoot why you can’t make calls. If you believe this is an issue with Lookout, please email us at support [at] lookout [dot] com and include the email address associated with your Lookout account. Sorry again and hope this gets figured out soon!

  9. Send me a new passcode because I cannot use my phone at all. This just started yesterday. I DO NOT remember signing up the premium lookout to begin with. 7146053066. You can call me on the house phone if need be 7149680161. TMobile could not help me. Very important.

    • Meghan Kelly says:

      Hi Maureen, I’m just seeing this second comment! Sorry reaching out to the carrier didn’t work. I’m passing your note along to our support team now. Hopefully we can get this sorted out.

    • Meghan Kelly says:

      Maureen, our support team says that we will be sending you instructions and your last pin via the registered email address on your account.

Leave a comment