Fingerprint sensors are emerging as the next big feature in smartphones - the Apple iPhones have it and so do the Google Nexus phones. While the convenience of using fingerprints to unlock devices make them very desirable, but are they secure? No, says Elliot Williams in his critique of the use of fingerprints in place of passwords.
While there are vulnerabilities even in passwords and the way we use them, Williams lists a number of reasons that we should ponder over before choosing the convenience of a fingerprint over the security of a password. You can read his detailed analysis of the weakness of fingerprint security.
These are the four (possibly more) reasons why you shouldn't rely on fingerprints to secure your phone:
1. Fingerprints are not secret: We leave our fingerprints everywhere. Unlike a password, that we might have only in our head or noted down on a secret document somewhere, our fingerprints are here on the devices we use, the cups we drink from, the tables we lay our hands on, the door handles we turn, even from photographs. Actually, almost everywhere we go. And security researchers have demonstrated that copying and mimicking fingerprints is not that tough a task.
2 Fingerprints are not revocable: What do you do when you know that a password of yours has been leaked. You change them. Try doing that with your fingerprint? Once your fingerprint is stolen, it is for ever.
3. Fingerprints are difficult to store securely: Hash functions are widely used to protect passwords. The nature of fingerprints and how they are used in security means that for a fingerprint to match, it doesn't need to be an exact match, close enough is good enough. Because of this fingerprints can’t usefully be hashed and they can only be encrypted. Which isn't always the best of solutions. This is another chink in the fingerprint armour.
4. Fingerprint security can sleep while you are asleep: Also, there's another vulnerability beyond what the Hackaday post discusses. Assume you are asleep and someone wants to unlock your passcode-protected phone. He can't easily. Because he doesn't know your passcode. However, if you have only fingerprint security enabled, that person merely needs to put your finger (you are asleep, so not in a position to resist) on the sensor and the content on your phone is unlocked.
"Don’t use fingerprints as if they were passwords," because "they’re not secret, they’re not revocable, and they’re very difficult to store securely," Williams concludes.
Comments
0 comment