| Lookout Blog September 11, 2013

September 11, 2013

Lookout's Take on Fingerprint Passcodes

By Marc Rogers

Apple’s iPhone 5S announcement has everyone asking: will a simple touch of your fingerprint end the days of manually entering a passcode on your device? Probably not. But fingerprint technology is full of exciting promise for mobile security: if implemented correctly, it has the potential to usher in a new generation of secure mobile services.

Long rumored, the new 5S will have a “Touch ID” fingerprint technology built into the home button that will give users the ability to unlock the device with their fingerprint. Fingerprint technology is a great way for passcode-wary consumers to get a dose of security: just over half of people say they use a passcode on their phone today; and of those that don’t use a passcode, many say it’s because it’s inconvenient. With phone theft and loss huge threats to the privacy of your device, setting a passcode is critical. Fingerprint technology helps marry security and convenience, giving people a natural way to build device security into their life.

All technologies have weaknesses, and fingerprint-based biometrics is no different. One serious risk is that fingerprints can be lifted and duplicated. While we can expect the fingerprint scanner in Apple’s latest device to use the most advanced defenses to protect against these types of attack, it’s good to keep in mind that this technology has been circumvented before and is likely to be challenged again.

Despite potential weaknesses, fingerprint-based biometrics offer undoubted opportunities for improved security. Our fingerprints are always with us, and no matter how efficient attacker technology becomes, there will always be a cost in terms of complexity, time and materials for an attacker to duplicate them. By understanding and accounting for the limitations of fingerprint-based biometric security, we can embrace the benefits using it to both enhance mobile device physical security and lay the foundation that could allow us to architect a new generation of secure mobile services. How should fingerprint technology be implemented? While fingerprint security alone shouldn’t be considered sufficient for high security situations, using it as part of “two factor” security where you enhance the fingerprint with an additional security barrier such as a passphrase or pin code will create strong protection that is suitable for even some of the most delicate or risky situations. This is potentially great news for enterprises concerned about the likelihood of corporate data ending up on smartphones as part of BYOD. If you require two factor authentication using the fingerprint and a strong passphrase when the devices is powered up or the first time it is used after a defined period of inactivity you create a level of protection that outstrips what most laptops or desktop PC’s are capable of offering. It could be great news for financial institutions, too, as two factor authentication using biometric information has long been seen as one of the strongest lines of defense against phishing attacks. By allowing developers to leverage this technology as they build applications, Apple could empower developers to create a new generation of secure yet convenient-to-use mobile services. The road ahead won’t be free of challenges. Apple has already overcome one major risk by stating that biometric data will only be stored on the user’s device so as to avoid creating a cloud service that hosts millions of user’s biometric identities, something that would be an irresistible target for both cyber criminals and state sponsored hackers. Now the company will face a second challenge: ensuring that user data is adequately protected on the device itself so that it is secure in the event a device gets stolen. Apple will also have to ensure that a rogue developer cannot use this technology in order to harvest biometric identities as people play their latest innocuous-looking game. The success or failure of fingerprint technology on the iPhone hinges on its implementation - if incorporated correctly, fingerprint security could change the way we look at mobile security; If implemented poorly or made too cumbersome for users, it’s likely to end up a quickly forgotten feature. Only time, and the launch of Apple’s new iPhone, will tell us for sure.


Marc Rogers