Rumored iOS Fingerprint Sensor Would Boost Mobile Security

Movies tend to paint fingerprint sensors as high-security devices used only to protect military installations -- devices whose security, however, can easily be circumvented by the crafty protagonist.

With the hyperactive Apple rumor mill predicting a fingerprint sensor in a future iPhone, the biometric technology could finally get the boost it needs to become widely adopted. The sensors, if delivered with Apple's typical panache, would likely raise the overall security of smartphones by making a common level of protection widely available, says Chace Hatcher, CEO of Diamond Fortress Technologies, a Birmingham, Ala., startup focusing on allowing the rear-facing camera to act as a fingerprint sensor.

"If Apple releases a fingerprint sensor, it will give a boost to the whole concept of the mobile wallet and having good security on the phone," he says.

Biometric security, in general, and fingerprint sensors, in particular, have had a hard time cracking the consumer code. While such technologies promise easier authentication with greater security than typical passwords, a variety of problems have plagued implementations. While promising convenience, false negatives -- where the user's biometric is not recognized -- have been common. In addition, security issues with such a key authentication technology can cause problems: Last year, security firm Elcomsoft found that the widely used UPEK fingerprint sensors stored users' passwords in poorly obfuscated plain text in the Windows registry, essentially breaking the Windows security model.

Yet Apple's purchase of biometric technology firm AuthenTec in 2012 may mean that change is coming. Late last year, Apple was granted patents on using biometric technology on the iPhone in a two-step unlock process similar to the current method that allows users to unlock their phones via a personal identification number, or PIN.

[A new security startup is building an authentication model with what it describes as a "human" approach that doesn't use biometrics, passwords or passcodes. See Startup To Offer 'Human' Authentication.]

While Apple's patent filings show that the iPhone could work with any biometric -- fingerprint and facial recognition are shown -- fingerprints tend to be the most reliable, says Jamie Cowper, senior director of business development for authentication provider Nok Nok Labs.

"Fingerprint sensors -- they are better today than voice and face," Cowper says. "They are harder to spoof. It is always possible on a one-to-one basis, but not at scale."

Securely implemented biometric authentication would only use the biometric -- whether a fingerprint, a facial image, or a voice recording -- to unlock credentials in a local vault on the device that would then be used for authentication. No biometric data -- or data derived from a biometric, such as a hash -- would be communicated over the Internet. In many ways, the model is similar to a password vault, such as LastPass or 1Password, where a single strong password protects access to many other strong passwords.

Yet the real test will be how easy the technology is to use. Any technology that does not improve the user experience will fail, says Troy Vennon, director of the Mobile Threat Center at Juniper Networks.

"If you put a technology in front of the access to the device, in front of people's ability to complete their work, it better work or they are going to go around it," Vennon says.

Six out of every 10 people do not have a PIN on their phones because it makes the devices slower to use, according to Frost & Sullivan, a research firm. Yet if e-commerce providers and banks begin recommending that users enable their fingerprint sensors, the technology could take off, the analyst firm stated earlier this month.

Meanwhile, passwords -- and the reliance on users to choose good passwords -- continues to pose serious security issues for both online providers and the users themselves. While a fingerprint sensor will not protect a smartphone from the most common threats -- being lost of stolen -- it will better secure online transactions than using a common four-digit PIN code.

"In the end, I think it is a foregone conclusion that fingerprint biometrics will replace passwords and PINs," Diamond Fortress's Hatcher says. "I think biometrics is going to make those mechanisms go the way of the dodo."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.