News has emerged that hackers have successfully duplicated copies of fingerprints used to unlock the Samsung Glazy S5 phone. According to security firm, FireEye, who will give a presentation at today’s RSA conference on the matter, a flaw in Android makes it possible to steal the personal information so it can be used elsewhere.
The flaw is the latest in a series of problems uncovered with biometric identification systems, further shedding doubt as to the feasibility of biometrics as a password killer. While biometric authorization is undoubtedly a fantastic innovation, at Dashlane we still think there are a number of issues we need to iron out before it becomes a de-facto form of identification for the masses. So, with that in mind, let’s take a closer look at the pros and cons of biometrics versus the password:
- YOU CAN’T CHANGE YOUR BIOMETRIC PASSWORD
Biometric authentication can be hacked as with any other form of authentication. But unlike passwords, biometric data that has been stolen cannot be changed: you cannot replace your stolen fingerprints with a new set, nor can you replace a finger you might lose in an accident. Once the hackers have the key, they’re in.
- BUT YOU CAN CHANGE YOUR FINGERPRINTS
In 2009, 27-year-old Chinese national Lin Ring paid doctors almost £10,000 to change her fingerprints so that she could bypass the biometric sensors used in Japan’s airports by immigration authorities. Chinese surgeons swapped the fingerprints from her right and left hands. It worked, and she was successfully admitted. Biometric fraud is alive and well.
- YOU CAN’T SHARE YOUR BIOMETRICS
Biometrics authentication has other major limitations: it cannot be shared and cannot be made anonymous. Sharing login data, or using them anonymously is something more and more internet users do, whether for business or in their personal lives. Only a password management system can securely allow shared access for multiple individuals.
- YOU CAN LOSE YOUR VOICE
Banking is one example of a sector increasingly turning to voice biometrics (also called Interactive Voice Response, or IVR). Customers telephoning the bank either recite a passphrase or enter into a 30-second conversation with the operator which analyses their natural speech pattern and verifies it against a stored file. Barclays reported 95% accuracy. But that’s still a lot of customers relying on passwords or other “traditional” verification methods. And what if you’re under the weather and lose your voice…?
- YOUR ANONYMITY IS GONE
Passwords preserve anonymity – you’re not identifying who you are, simply authenticating access. When you start to remove this anonymity, it throws up all sorts of privacy issues. Where different passwords are used for authenticating access to different sites, and could therefore be anyone accessing the sites, biometrics place a specific individual at the point of access. And once hackers know it’s you, they could start to build a profile of everywhere you go, everything you do and even where all your key information is stored.
- THUMBPRINTS AREN’T AS SECURE AS YOU MIGHT THINK
Thumbprints are all that secure. In Germany, hackers from the Chaos Computer Club lifted the fingerprint of the country’s chief of police and interior minister, Wolfgang Schäuble, from a glass of water he’d left behind after a speech. Successfully copying it, they reproduced it 4,000 times in a plastic mold, and then distributed it in their magazine urging readers to impersonate the minister. More recently, the same club hacked prints using high-resolution photography. Other hackers have also successfully hacked fingerprints using nothing more than…Play-Doh.
- AND NEITHER ARE YOUR IRISES
Jan Krissler, again from Chaos Computer Club, has used both high-resolution photography and even Google Images to hack iris scanners. “I did tests with different people and can say that an iris image with a diameter down to 75 pixels worked on our tests,” he told Forbes. The printout required a resolution of 1200 dots per inch (dpi), and at least 75 per cent of the iris to be visible. On Google Images, he found suitable images for iris hacking that included Russian president Vladimir Putin, UK Prime Minister David Cameron, US president Barack Obama and 2016 presidential candidate, Hillary Clinton.
- THE ENVIRONMENT CAN PLAY TRICKS
Even your own environment can conspire against accurate biometric access. During one test by a manufacturer, a hand geometry system under review at Sandia National Labs in New Mexico in the US showed only a small error rate of 0.2%. When the same tests were run at nearby Kirtland Air Force Base, the error rate sky-rocketed to 20 percent, purely as a result of a different environment and different group of people being tested. You can read more about the research here.
- YOU BECOME THE TARGET
Consider PayPal and its headline-grabbing work on a new generation of embeddable, injectable and ingestible devices to replace passwords. This “natural body identification” may mean that hackers no longer have to hack a system; they just need your actual body. “Brute force attacks” could take on a whole new, sinister meaning…
- BECAUSE MULTI-FACTOR AUTHENTICATION WILL ALWAYS WIN
All of the above is not to say that biometric authentication cannot be useful. As an additional layer of authentication, biometric authorization can provide another useful layer of security, particularly when using services which are especially sensitive like our bank accounts. However, for the foreseeable future at least, the use of strong passwords should continue to be the main foundation to build up a strong defense against online breaches.
Want to read more on the subject? Check out our previous post here.