Is Biometrics security enough to shield threats?

Guillaume Lovet, senior manager, FortiGuard Threat Response at worldwide provider of network security appliances Fortinet, discusses multi-factor authentication (MFA) as a way to ward off privacy threats.

Tags: Fortinet Incorporation
  • E-Mail
Is Biometrics security enough to shield threats?
By  Guillaume Lovet Published  December 28, 2013

Guillaume Lovet, senior manager, FortiGuard Threat Response at worldwide provider of network security appliances Fortinet, discusses multi-factor authentication (MFA) as a way to ward off privacy threats.

Threats to personal and organisational privacy have evolved to such a degree that traditional forms of security such as straightforward password protection have become alarmingly insufficient. Nowadays, hackers and other malicious entities can easily break through codes in a matter of seconds via complex programs and sophisticated hardware or by ‘brute force’ cracking.

Multi-factor authentication (MFA) is an offshoot of more aggressive efforts to ward off privacy threats. In this security approach, two or more of three authentication factors (knowledge, possession and inherence) are required to establish identity. The knowledge factor refers to ‘something only the user knows’, such as a password or pattern. A possession factor, on the other hand, is ‘something only the user has,’ such as a mobile phone or an ATM card. Finally, an inherence factor is ‘something only the user is,’ which refers to biometric characteristics such as a fingerprint.

The introduction of the iPhone 5s, the latest smartphone developed by technology giant Apple, has stirred great public interest over the effectiveness of biometrics – the inherence factor – to stave off privacy attacks. The new device contains a new biometric fingerprint reader known as TouchID which is built into the home button of the iPhone 5s to detect and verify a user’s fingerprint via capacitive touch. This function now brings two-factor authentication from the exclusive domain of the enterprise down to the reach of the smartphone-loving masses. Apple explains that the iPhone 5s’ new A7 processor has a tough, dedicated data storage area that is difficult to attack. However, a successful breach into this secure layer would render biometric authentication useless. A cybercriminal that successfully implants a Trojan into the phone would find no difference between cracking a fingerprint code and a password, as a scanned fingerprint is stored as a series of 0s and 1s in the phone.

Another important thing to note, is Apple’s statement that Touch ID scans sub-epidermally, with no mention of sub-dermal capability. This means that the advanced capacitance sensor embedded in the device in essence takes a high-resolution image of fingerprints from the sub-epidermal layers of the skin. This is already how typical capacitance sensors work more or less: a more secure method would be to scan at the sub-dermal level beneath the skin where the veins and arteries are. Apple’s initial implementation of biometrics, then, appears more of a tool of convenience that enables users to avoid passwords at their preference.

In fact, a German group was able to work around Touch ID security just days after the iPhone 5s launch. They took a fingerprint of a user photographed from a glass surface and then created a fake fingerprint which they placed into a thin film and pressed onto the device with a real finger to unlock the phone. Touch ID certainly does work, and work well, but you should not rely upon it to protect the digital assets on your phone. Apple needs to push out an iOS update that allows users of Touch ID to further secure their devices by enabling proper two-factor authentication with both a scan and a password.

In addition, people usually don’t communicate their fingerprints to third parties. Our fingerprints are in biometric passports, so they are known to our own governments, but that’s usually about all. With Apple’s Touch ID, aren’t we making it easier for cybercriminals to get our fingerprints (and re-sell them on the black market for whatever nefarious intent)? Additionally, our fingerprints are not replaceable: once they have been compromised, there is no way back, it’s not like a key pair, we can’t just generate a new one.

While Apple’s biometric approach is not foolproof, the good news is that the iPhone 5s has elicited mass interest in the possibility of moving away from typical single-factor authentication and into multi-factor authentication. In its Mid Year Threat Report, Fortinet’s FortiGuard Labs has mentioned two-factor authentication will be expected to replace the single password sign on security model.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code