Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/29/2013
12:57 AM
50%
50%

Rumored iOS Fingerprint Sensor Would Boost Mobile Security

While not the first mobile phone maker to put a fingerprint sensor on a smartphone, Apple's adoption could make a higher level of security more convenient

Movies tend to paint fingerprint sensors as high-security devices used only to protect military installations -- devices whose security, however, can easily be circumvented by the crafty protagonist.

With the hyperactive Apple rumor mill predicting a fingerprint sensor in a future iPhone, the biometric technology could finally get the boost it needs to become widely adopted. The sensors, if delivered with Apple's typical panache, would likely raise the overall security of smartphones by making a common level of protection widely available, says Chace Hatcher, CEO of Diamond Fortress Technologies, a Birmingham, Ala., startup focusing on allowing the rear-facing camera to act as a fingerprint sensor.

"If Apple releases a fingerprint sensor, it will give a boost to the whole concept of the mobile wallet and having good security on the phone," he says.

Biometric security, in general, and fingerprint sensors, in particular, have had a hard time cracking the consumer code. While such technologies promise easier authentication with greater security than typical passwords, a variety of problems have plagued implementations. While promising convenience, false negatives -- where the user's biometric is not recognized -- have been common. In addition, security issues with such a key authentication technology can cause problems: Last year, security firm Elcomsoft found that the widely used UPEK fingerprint sensors stored users' passwords in poorly obfuscated plain text in the Windows registry, essentially breaking the Windows security model.

Yet Apple's purchase of biometric technology firm AuthenTec in 2012 may mean that change is coming. Late last year, Apple was granted patents on using biometric technology on the iPhone in a two-step unlock process similar to the current method that allows users to unlock their phones via a personal identification number, or PIN.

[A new security startup is building an authentication model with what it describes as a "human" approach that doesn't use biometrics, passwords or passcodes. See Startup To Offer 'Human' Authentication.]

While Apple's patent filings show that the iPhone could work with any biometric -- fingerprint and facial recognition are shown -- fingerprints tend to be the most reliable, says Jamie Cowper, senior director of business development for authentication provider Nok Nok Labs.

"Fingerprint sensors -- they are better today than voice and face," Cowper says. "They are harder to spoof. It is always possible on a one-to-one basis, but not at scale."

Securely implemented biometric authentication would only use the biometric -- whether a fingerprint, a facial image, or a voice recording -- to unlock credentials in a local vault on the device that would then be used for authentication. No biometric data -- or data derived from a biometric, such as a hash -- would be communicated over the Internet. In many ways, the model is similar to a password vault, such as LastPass or 1Password, where a single strong password protects access to many other strong passwords.

Yet the real test will be how easy the technology is to use. Any technology that does not improve the user experience will fail, says Troy Vennon, director of the Mobile Threat Center at Juniper Networks.

"If you put a technology in front of the access to the device, in front of people's ability to complete their work, it better work or they are going to go around it," Vennon says.

Six out of every 10 people do not have a PIN on their phones because it makes the devices slower to use, according to Frost & Sullivan, a research firm. Yet if e-commerce providers and banks begin recommending that users enable their fingerprint sensors, the technology could take off, the analyst firm stated earlier this month.

Meanwhile, passwords -- and the reliance on users to choose good passwords -- continues to pose serious security issues for both online providers and the users themselves. While a fingerprint sensor will not protect a smartphone from the most common threats -- being lost of stolen -- it will better secure online transactions than using a common four-digit PIN code.

"In the end, I think it is a foregone conclusion that fingerprint biometrics will replace passwords and PINs," Diamond Fortress's Hatcher says. "I think biometrics is going to make those mechanisms go the way of the dodo."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26250
PUBLISHED: 2020-12-01
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by ...
CVE-2020-28576
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.
CVE-2020-28577
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.
CVE-2020-28582
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.
CVE-2020-28583
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.