Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/29/2013
12:57 AM
50%
50%

Rumored iOS Fingerprint Sensor Would Boost Mobile Security

While not the first mobile phone maker to put a fingerprint sensor on a smartphone, Apple's adoption could make a higher level of security more convenient

Movies tend to paint fingerprint sensors as high-security devices used only to protect military installations -- devices whose security, however, can easily be circumvented by the crafty protagonist.

With the hyperactive Apple rumor mill predicting a fingerprint sensor in a future iPhone, the biometric technology could finally get the boost it needs to become widely adopted. The sensors, if delivered with Apple's typical panache, would likely raise the overall security of smartphones by making a common level of protection widely available, says Chace Hatcher, CEO of Diamond Fortress Technologies, a Birmingham, Ala., startup focusing on allowing the rear-facing camera to act as a fingerprint sensor.

"If Apple releases a fingerprint sensor, it will give a boost to the whole concept of the mobile wallet and having good security on the phone," he says.

Biometric security, in general, and fingerprint sensors, in particular, have had a hard time cracking the consumer code. While such technologies promise easier authentication with greater security than typical passwords, a variety of problems have plagued implementations. While promising convenience, false negatives -- where the user's biometric is not recognized -- have been common. In addition, security issues with such a key authentication technology can cause problems: Last year, security firm Elcomsoft found that the widely used UPEK fingerprint sensors stored users' passwords in poorly obfuscated plain text in the Windows registry, essentially breaking the Windows security model.

Yet Apple's purchase of biometric technology firm AuthenTec in 2012 may mean that change is coming. Late last year, Apple was granted patents on using biometric technology on the iPhone in a two-step unlock process similar to the current method that allows users to unlock their phones via a personal identification number, or PIN.

[A new security startup is building an authentication model with what it describes as a "human" approach that doesn't use biometrics, passwords or passcodes. See Startup To Offer 'Human' Authentication.]

While Apple's patent filings show that the iPhone could work with any biometric -- fingerprint and facial recognition are shown -- fingerprints tend to be the most reliable, says Jamie Cowper, senior director of business development for authentication provider Nok Nok Labs.

"Fingerprint sensors -- they are better today than voice and face," Cowper says. "They are harder to spoof. It is always possible on a one-to-one basis, but not at scale."

Securely implemented biometric authentication would only use the biometric -- whether a fingerprint, a facial image, or a voice recording -- to unlock credentials in a local vault on the device that would then be used for authentication. No biometric data -- or data derived from a biometric, such as a hash -- would be communicated over the Internet. In many ways, the model is similar to a password vault, such as LastPass or 1Password, where a single strong password protects access to many other strong passwords.

Yet the real test will be how easy the technology is to use. Any technology that does not improve the user experience will fail, says Troy Vennon, director of the Mobile Threat Center at Juniper Networks.

"If you put a technology in front of the access to the device, in front of people's ability to complete their work, it better work or they are going to go around it," Vennon says.

Six out of every 10 people do not have a PIN on their phones because it makes the devices slower to use, according to Frost & Sullivan, a research firm. Yet if e-commerce providers and banks begin recommending that users enable their fingerprint sensors, the technology could take off, the analyst firm stated earlier this month.

Meanwhile, passwords -- and the reliance on users to choose good passwords -- continues to pose serious security issues for both online providers and the users themselves. While a fingerprint sensor will not protect a smartphone from the most common threats -- being lost of stolen -- it will better secure online transactions than using a common four-digit PIN code.

"In the end, I think it is a foregone conclusion that fingerprint biometrics will replace passwords and PINs," Diamond Fortress's Hatcher says. "I think biometrics is going to make those mechanisms go the way of the dodo."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...