Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:57 AM

Rumored iOS Fingerprint Sensor Would Boost Mobile Security

While not the first mobile phone maker to put a fingerprint sensor on a smartphone, Apple's adoption could make a higher level of security more convenient

Movies tend to paint fingerprint sensors as high-security devices used only to protect military installations -- devices whose security, however, can easily be circumvented by the crafty protagonist.

With the hyperactive Apple rumor mill predicting a fingerprint sensor in a future iPhone, the biometric technology could finally get the boost it needs to become widely adopted. The sensors, if delivered with Apple's typical panache, would likely raise the overall security of smartphones by making a common level of protection widely available, says Chace Hatcher, CEO of Diamond Fortress Technologies, a Birmingham, Ala., startup focusing on allowing the rear-facing camera to act as a fingerprint sensor.

"If Apple releases a fingerprint sensor, it will give a boost to the whole concept of the mobile wallet and having good security on the phone," he says.

Biometric security, in general, and fingerprint sensors, in particular, have had a hard time cracking the consumer code. While such technologies promise easier authentication with greater security than typical passwords, a variety of problems have plagued implementations. While promising convenience, false negatives -- where the user's biometric is not recognized -- have been common. In addition, security issues with such a key authentication technology can cause problems: Last year, security firm Elcomsoft found that the widely used UPEK fingerprint sensors stored users' passwords in poorly obfuscated plain text in the Windows registry, essentially breaking the Windows security model.

Yet Apple's purchase of biometric technology firm AuthenTec in 2012 may mean that change is coming. Late last year, Apple was granted patents on using biometric technology on the iPhone in a two-step unlock process similar to the current method that allows users to unlock their phones via a personal identification number, or PIN.

[A new security startup is building an authentication model with what it describes as a "human" approach that doesn't use biometrics, passwords or passcodes. See Startup To Offer 'Human' Authentication.]

While Apple's patent filings show that the iPhone could work with any biometric -- fingerprint and facial recognition are shown -- fingerprints tend to be the most reliable, says Jamie Cowper, senior director of business development for authentication provider Nok Nok Labs.

"Fingerprint sensors -- they are better today than voice and face," Cowper says. "They are harder to spoof. It is always possible on a one-to-one basis, but not at scale."

Securely implemented biometric authentication would only use the biometric -- whether a fingerprint, a facial image, or a voice recording -- to unlock credentials in a local vault on the device that would then be used for authentication. No biometric data -- or data derived from a biometric, such as a hash -- would be communicated over the Internet. In many ways, the model is similar to a password vault, such as LastPass or 1Password, where a single strong password protects access to many other strong passwords.

Yet the real test will be how easy the technology is to use. Any technology that does not improve the user experience will fail, says Troy Vennon, director of the Mobile Threat Center at Juniper Networks.

"If you put a technology in front of the access to the device, in front of people's ability to complete their work, it better work or they are going to go around it," Vennon says.

Six out of every 10 people do not have a PIN on their phones because it makes the devices slower to use, according to Frost & Sullivan, a research firm. Yet if e-commerce providers and banks begin recommending that users enable their fingerprint sensors, the technology could take off, the analyst firm stated earlier this month.

Meanwhile, passwords -- and the reliance on users to choose good passwords -- continues to pose serious security issues for both online providers and the users themselves. While a fingerprint sensor will not protect a smartphone from the most common threats -- being lost of stolen -- it will better secure online transactions than using a common four-digit PIN code.

"In the end, I think it is a foregone conclusion that fingerprint biometrics will replace passwords and PINs," Diamond Fortress's Hatcher says. "I think biometrics is going to make those mechanisms go the way of the dodo."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...