Another day, another modern nightmare. HTC was caught to be storing fingerprint biometric data in a world readable image file. The implications would include that you have to change your fingerprint. Well, I assume you still have 9 more fingers to choose from.

Biometric security is the most intimate security we have to identify ourselves, it never changes. Wait. If we do not change our passwords, it would be considered as a bad practice. If we use one that physically cannot be changed, what does that mean? There may only be one of you but there may be many security gateways that verify your ID using this one method. These security gateways ultimately convert the real world data into a series of 1s and 0s by a sensor and sends the data back to a central processing unit to be compared with the reference data linked to your identity. If it matches, the system is statistically satisfied and agrees that you are who you are. Biometric security is definitely convenient but it is increasingly losing it’s support as a key security method.

Let’s not forget how quick it was for hackers to jump on Apple’s TouchID (fingerprint) sensor. The difference is in the vector of attack. In both cases, you steal the actual fingerprint, either the physical fingerprint as shown in the MythBusters video or in HTC’s case, stealing the actual image of the fingerprint file which can be stolen by “Any unprivileged processes or apps can steal user’s fingerprints by reading this file“.

Beyond all the negative hype, biometric security is complex. A complex self-standing system has many potential weaknesses and attracts many vectors of attack starting from sensor tempering all the way to the security of the backend storage of identity data.

It should only be used as an added layer of identification – as a part of Multi-Factor-Authentication. To be really secure, each factor is authenticated on a secure remote authentication. Identity data should be segregated from the production system.

For example, SAML 2.0 password authentication from security provider A, TOTP authentication from security provider B and biometric authentication from provider C. Only when all forms of authentication succeeds (all tokens received) do the local system authenticates the user and is allowed access to the local system.

It is not often that we can credit hollywood for giving us sound security pointers. I remember seeing the famous 2006 MythBusters episode where they challenged fingerprint scanners and won. Another famous Hollywood portrayal of early biometrics security flaw (using voice recognition or keypad security with a bonus social engineering trick thrown in) was the Sidney Poitier, Robert Redford and an 1992 all star cast movie (and my all time favourite), Sneakers.

So I hope system implementors will find a solution to this and stop forcing us to try and change fingers because it seems like we will probably see more fingerprint scanners in the future of our personal devices (Fingerprint Sensors Market in Smart Mobile Devices 2012-2019).

Advertisements