Why Biometrics Are Good For Identification, Bad For Authorization
I have never been much of a fan of using your fingerprint or eyeball print as a way of gaining access to something – whether it be your phone or a data center. There are a number of reasons why, but now we can add a new one to it.
The Chaos Computer Club demonstrated (see article in Tech Crunch) a way to capture a fingerprint and fake the iPhone’s fingerprint reader out. Some fingerprint readers are even easier to fake – you can fool them with a fingerprint on a gummy bear.
Now mind you, their attack some some serious work and for most people, who don’t even put a PIN on their phone, the fingerprint is a serious upgrade.
For those people who are paranoid, the courts have held that you can be forced to stick out your finger to unlock your phone while you cannot be forced – without being given immunity – to give up your password. Also, you can, conveniently, forget your password. It is hard to forget your finger.
Suffice it to say, biometic information can be captured, with different levels of difficulty and if that information is used for authorization (i.e. unlock your phone), it is possible to unlock your phone without your approval.
One way to get around this is to use biometics to identify the user and a password to authorize that user, but that is inconvenient, so, except for high security environments – such as data centers – that is not often done.
Now today’s new problem. Agic (see their web site) has created a technology that allows you to print a computer circuit board on your ink jet printer. Swap out the ink cartridges with their ink and use their paper and you can print a circuit board. Put some components on it and you have a real circuit.
How does this relate to biometrics. Well, apparently, it turns out that the capacitance of this ink and paper combination is such that you can print a fingerprint on their paper, using their ink, and that fingerprint has the right capacitance to fool many fingerprint readers.
This means that you can take a picture of someone’s finger, invert the ridges and grooves and print it. They claim to have unlocked a Samsung Galaxy S6 using this technique.
It also means that if you forget your finger and you took a picture of it and put it in your wallet, you can still unlock your phone.
The point is that there should be a distinction between IDENTIFYING who you are and AUTHORIZING your access – and vendors are collapsing the two.
That being said, given that many people don’t even put a PIN on their phones (Marissa Mayer, CEO of Yahoo famously said that it was too much work to do that (see article), so using a fingerprint is a huge step up. But for those people for whom security is important, I do not recommend using a fingerprint at this time. An Alphanumeric password of at least 10 characters is a pretty safe bet. Experts are recommending 16 characters. It could be a phrase like “I Like Ice Cream!”, since those are a lot easier to remember.
Information for this post came from the Security Now podcast, episode 550.