In the news recently there’s been no shortage of opinion over the new fingerprint scanning feature of the Apple iPhone 5S smartphone, and sadly much of the information has been either factually incorrect or has exploited the recent mass-consumer paranoia when it comes to Privacy.
So let’s clear up some of these misunderstandings and take a look at what biometric security really is, what it’s good for and some of the pitfalls especially in comparison to what we’re all familiar with – passwords.
In the security world we have a thing called “Access Control” which describes any number of methods used to allow only authorised users to access a system. Within this field of research there are three types of criteria that a system can authenticate a user with (that is, to distinguish one user from another):
- “Something you know” – such as your PIN, password, Mother’s Maiden Name etc.
- “Something you have” – such as your Credit Card, Smartphone, or your house key etc.
- “Something you are” – such as a fingerprint, eye-scan, or even your DNA etc.
You might have heard the term “two factor authentication” and this simply refers to any two of the three shown above. For example, when you use an Automatic Teller Machine (ATM) you’re using two factors of authentication – one is your Access or Credit Card that you “have”, and the second is the PIN that you “know”.
Many of us, however, are unfamiliar with the “something you are” factor which gets implemented in the form of “Biometrics” – this is the ability to measure some part of you, as a human, and use it to identify you uniquely; or at least close enough to distinguish you from a large population of random people.
The science of Biometrics has actually been in use since the late 1800’s, well before computers, when Fingerprinting was discovered as a way of identifying us all quite uniquely and remains by far one of the most used crime-fighting tools to this day.
Sadly, this is where much of the confusion (and paranoia) prevails, when we start comparing the type of fingerprinting used by law enforcement to that used in Access Control systems like that seen in the iPhone 5S. The two could not be more different!
When your favourite CSI Miami star lifts a fingerprint at the scene of a crime, it must be presented in a court of law and it must categorically link back to the suspect it belongs to without question. It will be scrutinised and analysed carefully by a human trained in forensic examination, capable of distinguishing the tiniest differences; and the consequences of getting it wrong can put an innocent person in jail!
Contrast that to a computer based fingerprint reader that only needs to determine if a scanned finger matches against a stored one on file. While on the surface both seem similar, the burden of proof is nowhere near the same – and adding to that, it turns out computers are nowhere near as good at reading and discerning fingerprints as us humans are.
Which brings me to one of the most popular misconceptions floating about. A computer or smartphone doesn’t need to store a photographic image of your fingerprint to authenticate you, which means there’s little risk of data leakage allowing someone on the other side of the world being able to make a replica of your finger out of latex.
Good biometric technologies use a different kind of fingerprinting known as cryptographic “hashes” that reduce your scanned fingerprint into a digital signature. The signature on its own is random and worthless, and may not even be the same between devices even when the same finger is used – and it is technically impossible to reconstruct your original fingerprint from it.
Moreover, in Biometric technology there are two major imperfections that continue to plague all implementations to this day.
- False Acceptance Rate – the number of times a reader will accept an imposter.
- False Rejection Rate – the number of times a reader will reject the genuine person.
These two problems with fingerprint scanners and other biometric readers mean that sometimes an imposter can fool the reader as has already been claimed on the iPhone 5S. And sometimes the reader will not work which can be annoying to the real person. Getting this technology right continues to be the art of striking balance between these two forces.
But these issues are of no surprise at all to well informed security experts. In fact, Apple openly acknowledge that their Touch ID fingerprint security technology has a false acceptance rate of about 1 in 50,000.
It means that if you passed your brand new iPhone 5S around at a big rock concert with over 50,000 attendees, chances are someone else’s finger or thumb would be able to unlock it!
But guess what… it would take no more than 9,999 people to guess your PIN, right? So already we’re talking about security that is potentially 5 times better than what you currently have.
In fact, with more than 50 percent of smartphone users not using any kind of passcode, hopefully technologies like Apple’s Touch ID will make it much easier for people to start getting serious about securing their devices with little effort (not that using a passcode is much effort for those who already do!).
Firstly, I’d say that anything is possible in the future. We just never know if some of the current limitations to Biometric security will be solved – but if they are, the complex issues and Privacy implications that would arise of having a technology that could unequivocally identify you without error would be enormous and may take generations to resolve.
Secondly, the one thing that passwords have as an advantage is that unlike many things in life they are absolutely free. And implementing password security, when done properly, can provide just as good a level of security as anything else; either on their own and of course when combined together with the other two factors.
If anything, it seems that the biggest winners to improvements in the area of Biometric security, at least with the iPhone 5S, will be those people who are already quite lazy when it comes to Password security!
Until next time, stay safe out there.