Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Guest View: Biometrics: Is it enough to wave away privacy threats?

Guillaume Lovet | Oct. 28, 2013
While Apple’s biometric approach is not foolproof, the good news is that the iPhone 5s has elicited mass interest in the possibility of moving away from typical single-factor authentication and into multi-factor authentication.

            Threats to personal and organisational privacy have evolved to such a degree that traditional forms of security such as straightforward password protection have become alarmingly insufficient. Nowadays, hackers and other malicious entities can easily break through codes in a matter of seconds via complex programs and sophisticated hardware or by 'brute force' cracking.

            Multi-factor authentication (MFA) is an offshoot of more aggressive efforts to ward off privacy threats. In this security approach, two or more of three authentication factors (knowledge, possession and inherence) are required to establish identity. The knowledge factor refers to "something only the user knows," such as a password or pattern. A possession factor, on the other hand, is "something only the user has," such as a mobile phone or an ATM card. Finally, an inherence factor is "something only the user is," which refers to biometric characteristics such as a fingerprint.

            The introduction of the iPhone 5s, the latest smartphone developed by technology giant Apple, has stirred great public interest over the effectiveness of biometrics - the inherence factor - to stave off privacy attacks. The new device contains a new biometric fingerprint reader known as TouchID which is built into the home button of the iPhone 5s to detect and verify a user's fingerprint via capacitive touch. This function now brings two-factor authentication from the exclusive domain of the enterprise down to the reach of the smartphone-loving masses. A lot of people are excited over Apple's implementation of Touch ID, viewing the technology as something new and fresh and likely hard to defeat.

            Dedicated data storage area

            Apple explains that the iPhone 5s' new A7 processor has a tough, dedicated data storage area that is difficult to attack. However, a successful breach into this secure layer would render biometric authentication useless. A cyber criminal that successfully implants a Trojan into the phone would find no difference between cracking a fingerprint code and a password, as a scanned fingerprint is stored as a series of 0s and 1s in the phone.

            Another important thing to note, is Apple's statement that Touch ID scans sub-epidermally, with no mention of sub-dermal capability. This means that the advanced capacitance sensor embedded in the device in essence takes a high-resolution image of fingerprints from the sub-epidermal layers of the skin. This is already how typical capacitance sensors work more or less: a more secure method would be to scan at the sub-dermal level beneath the skin where the veins and arteries are. Apple's initial implementation of biometrics, then, appears more of a tool of convenience that enables users to avoid passwords at their preference.

            In fact, a German group was able to work around Touch ID security just days after the iPhone 5s launch. They took a fingerprint of a user photographed from a glass surface and then created a fake fingerprint which they placed into a thin film and pressed onto the device with a real finger to unlock the phone. Touch ID certainly does work, and work well, but you should not rely upon it to protect the digital assets on your phone. Apple needs to push out an iOS update that allows users of TouchID to further secure their devices by enabling proper two-factor authentication with both a scan and a password.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.