Smartphone authentication: is biometric technology ready to replace PINs and passwords?
NB: this doesn’t cover anything like the full range of known smartphone authentication technologies: it’s an expanded version of responses to a recent query regarding specific technologies, and a request for commentary on more abstract issues.
Karenina Velandia recently asked us (or more specifically ESET UK) on behalf of BBC Mundo (The BBC World Service’s Spanish Service), for commentary relevant to an article (in Spanish) she was working on regarding the safety and effectiveness of technologies available for the locking of mobile devices.
Her questions concerned four main technologies:
- Biometric authentication by fingerprint
- Biometric authentication by iris recognition
- ‘On body’ detection, an Android feature described here
- ‘Traditional password’
The following is essentially my commentary with some material added for clarification.
Fingerprint scanning is far from new, of course. It’s a method that’s often been used to log into laptops, as well as getting physical access to buildings or rooms.
The effectiveness of fingerprint biometrics is very dependent on the quality of the scanning hardware and the app behind it. Many such technologies have been considered vulnerable to compromise because the scanner may be fooled by a ‘lifted’ fingerprint or even a ‘fake’ or amputated finger, but again that doesn’t really help an everyday opportunist thief. On the other hand, various physical issues may result in a fingerprint scanner being unable to authenticate a legitimate user. But then, a legitimate user might also forget his passcode. So in that case it becomes a matter of how a provider deals with a failure of legitimate authentication.
Iris recognition is based on the assumption that unique complex patterns can be found by automated analysis of video images of an individual’s iris(es). This is also dependent on the quality of the scanning hardware as well as the software. Some phone components alleged to be capable of doing it reliably have been available for a while, but their effectiveness is hard to determine: in fact, I don’t know of any phones currently using the approach, but that doesn’t mean they don’t exist: I’m something of a smartphone Luddite. Iris recognition is, in principle, probably harder to spoof than a fingerprint, unless you’re Tom Cruise. Though I think the technology used for identification in Minority Report was actually retinal scanning, a similar technology that’s now far less common. 😉
On-body detection is a smart-locking technology introduced by Google for Android mobile devices. My understanding is that it simply locks the phone when the accelerometer indicates that the phone isn’t being carried. It isn’t an alternative authentication method, any more than locking the phone after n minutes is: it simply activates whatever authentication mechanism is already in place. In fact, it could actually make the phone more vulnerable to misuse if the phone is passed to someone else or taken by a pickpocket.
The ‘traditional’ password is a string of characters used to authenticate, providing access to a location or resource. Depending on implementation, the characters that comprise the string might be digits, alphabetical, punctuation and other special characters, or – more likely – a mixture. The term passcode is usually used more or less synonymously with PIN (Personal Identification Number) where only numeric characters are used.
Sorry, but I’m going to quote myself (writing for an independent blog, not WeLiveSecurity):
In some ways, the combination of a good passcode or password and a limit on the number of retries is hard to beat (in the absence of alternative approaches such as offline brute-force or guessing attacks). [Obviously, if password and account identifier pairs are disclosed by some other means, such as when a service provider’s credentials database is breached, all bets are off.] … smart phones tend to have an option to erase data and/or render the phone inaccessible after a set number of unsuccessful passcode entry attempts. … So it would seem that avoiding a fairly small subset of common PINs should keep you fairly safe where this combination of defences applies.
(I’m not, of course, suggesting that you shouldn’t use better authentication technologies where they are available, and I certainly don’t suggest that multi-factor authentication is a bad idea.)
In other words, normally even a 4-digit PIN is reasonably safe if it’s not one a commonly-used/stereotyped PINs – my paper here talks about what strategies people use and draws on some data about common choices – and the number of attempts to enter the PIN allowed is restricted –and credentials haven’t been disclosed via other means (e.g. breach of a service provider’s database). The same applies to longer passcodes, alphanumeric passwords (especially if other characters can be used), but obviously the choice is wider. NB, most password/passcode breaches are based on offline cracking of databases rather than guessing at an individual’s password like they do in the movies…
However, the device described here bypasses a mechanism specific to one brand of smart phone for restricting the number of attempts. However, it’s not something that every phone thief will have in his back pocket. There are actually other techniques used by forensic investigators that can be very effective for breaking into smart phones, and that may work irrespective of the authentication used, but we’re talking about specialized tools rather than what’s available to an opportunist thief.
The original enquiry also referred to ‘Finger shape sliding’, presumably referring to the Android mechanism Righard Zwienenberg mentioned back in 2012. The article suggests that PINs and drawing a ‘letter or other symbol’ on the screen are subdivisions of the same category. I’m not convinced that this is the case, but there is a similarity between drawing a line-picture by sequentially tapping or swiping points on a 9-point grid and the kind of ergonomic password/passcode selection strategy based on perceptions of patterns in keyboard layouts. (As Righard pointed out, there are in fact variations on this approach: in particular he mentioned the ‘floating touch’ technology, which addresses the possibility of physical trace left on the screen by pattern swiping, and also talks about smart tags, which weren’t mentioned in the BBC article at all.)
Interesting as all this is, it has to be said that – as with other computer technologies – telephone authentication is compromised by the fact that most technologies, aiming to put the least strain possible on the consumer, are intended to provide a simple, single authentication technology rather than more secure but less convenient multi-factor technologies. And don’t get me started on BYOD.
In fact, some days after the BBC article appeared, an enquiry from the Times did get me started on BYOD. The following was my response to several issues raised.
The increased use of some form of biometrics for mobile devices has probably increased consumer awareness and to some extent allowed a wider range of options. This isn’t altogether a good thing:
- There is a tendency for the promotion of one technology intended to supersede another (i.e. passwords and passcodes), rather than promoting multi-factor authentication to avoid a single point of failure. This is, I suppose, an inevitable consequence of consumerisation: even in business environments, security tends to compromised to some extent by convenience. For the consumer, if there is no IT unit or CISO pressure to comply with policies and mandated requirements, convenience may seem far more important, especially as they will tend to think in terms of the loss of the hardware and less about the potential ill-effects of the loss of data, credentials etc.
- Corporate – and especially governmental – use of biometrics tends to involve the use of sophisticated and expensive hardware and (Which may be why biometrics isn’t as ubiquitous as it was expected to be 20 years ago, say). The effective transplanting of biometrics to mobile devices is an expensive exercise, and could be compromised by hardware limitations, or the cost of upgrading hardware to enable the best use of the technology. The impact of these issues is likely to rebound onto corporate security where Bring Your Own Device culture (or its more rational sibling Choose Your Own Device) holds sway. At that point, the issue goes beyond the loss of a personal device and even of sensitive personal data into the realm of potential corporate fraud, industrial espionage, and other breaches of security and privacy.
David “actually, my phone is pretty dumb” Harley
ESET Senior Research Fellow