Passwords are often criticized for not being effective enough these days, and yet they continue to be the main alternative to the biometrics-based approach. Therefore, a comparison of these two techniques will shed light on their imperfections and weak links. Here we go.
A serious caveat regarding biometric security is that it’s impossible to modify such authentication data remotely. If you are using a password, though, you can easily resort to a recovery option in case you forgot it or your account got compromised.
An extra benefit of this workflow is that you will be able to change the password along the way or further enhance your security by enabling 2FA (two-factor authentication).
With biometric authentication in place, things are entirely different. You cannot alter the previously configured security set-up of a device unless you have physical access to it.
Therefore, if your smartphone is stolen, a motivated thief may be able to use a fake silicon finger, or 3D-printed one, to fool the fingerprint reader, unlock the gadget, and pilfer all of your personal data stored inside it.
When you opt for fingerprint-based authentication on a smartphone, you will most likely need to press the sensor multiple times with a single finger to get started. This is because the sensors embedded in such devices are limited in size, and they can only scan a relatively small fragment of your fingerprint at a time.
By capturing partial fingerprint patterns from several different angles during the enrollment, the gadget can ensure that at least one of them will match the impression retrieved from the user during every subsequent instance of authentication.
According to security analysts’ findings, a specific partial fingerprint dubbed the “MasterPrint” – artificially created or real one – can trigger a successful authentication response on roughly 65% of devices. This is an observation made in lab conditions, and the real-life numbers will probably be much lower than that.
Nevertheless, even if this theory holds true for 10% of all smartphones, it means the potential exploitation surface spans millions of gadgets.
Whereas you can easily change your password in case someone steals it, your fingerprint, iris and other biometric characteristics are unchangeable. If another person has a replica of these, there is pretty much nothing you can do to be on the safe side except opting for passwords or security tokens.
In a massive breach at the U.S. Office of Personnel Management, hackers reportedly stole 5.6 million individuals’ fingerprints. As a result, the affected government employees and contractors can’t be sure that their fingerprint-based authentication will ever be reliable enough.
Drawback 4: Software flaws
Researchers at FireEye Labs discovered a number of critical vulnerabilities in popular Android smartphones that could potentially allow an attacker to remotely obtain the user’s fingerprint and compromise mobile payment workflows.
Thankfully, the vendors have since provided fixes for these issues, but the fact remains that biometric authentication software can turn out to be low-hanging fruit.
Security experts have unearthed methods that may be used by malicious actors to deceive biometric authentication systems. Below is a roundup of these techniques.
With a targeted person’s high-quality fingerprint at hackers’ disposal, they may be able to reproduce this pattern with maximum precision on a slim sheet of silicon, rubber, or other flexible material. To unlock a device, the attacker will then need to put the bogus print on the scanner and press it with his finger to conduct electricity and thereby fully emulate the real-world authentication scenario.
Some iris scanners are easy to fool. It suffices to take a picture of the iris with the average camera in night mode, print the image on paper, and place a wet contact lens on top of it to imitate the shape of the eye.
Cybercriminals may try to take a shortcut and hack the component of a mobile device that stores the authentication details. If an iOS gadget is a target, then the attackers will need to gain access to the Secure Enclave chip. The good news is that a vast majority of crooks lack the expertise to do it. It’s technically feasible, though. In fact, white hat researchers have already done it as a proof of concept.
For Android devices, a similar incursion is doable by breaking into the Trusted Execution Environment (TEE) and pulling off a peculiar privilege escalation stratagem. Fortunately, this exploitation isn’t feasible for most cybercrooks either and there haven’t been any major real-world incidents of that sort yet. However, the mobile threat underground is maturing and such attacks might occur in the future.
Here is how to enhance the security of your fingerprint authentication routine:
Biometric authentication is definitely an amazing technology that extends the scope of users’ login options and generally makes the process more effective. However, it’s not flawless.
With that said, it’s in your best interest to make sure you are using it securely. And do not forget about other ways to protect your devices as such things as closing open ports, installing all software updates, and getting an antivirus are still very important security factors.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
