Let’s face it, remembering passwords is a huge problem. As the number of online accounts requiring some level of security we keep grows, remembering the passwords and protecting them becomes an ever greater chore.
Users who can’t remember a password when they need it are either delayed from accessing a service or denied and locked out of their accounts. In either case it’s quite frustrating and doesn’t bode well for the adoption and repeated use of online services. That’s why the Fast Identity Online (FIDO) Alliance wants to create a new method for authentication. As described on its Web site, FIDO wants to develop specifications “that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services.” In other words, FIDO wants to replace the “what you know” aspect of security with the “what you have” aspect of security, and namely in the case of mobile devices – a fingerprint.
Members of FIDO includes PayPal, Lenovo, and Google. So this is a standards organization with some clout. Apparently that will be proven in less than six months time when an Android phone will come to market featuring a fingerprint scanner with FIDO certification.
Of course Apple turned a lot of heads when it launched the iPhone 5s with a fingerprint scanner just last month. Used to unlock the device as well as authorize iTunes and App Store purchases, it will save users from having to key in their password and still enjoy a degree of security. This served as a sort of market field test for FIDO, as they witnessed the reaction to the new technology (even though it’s not the first time a fingerprint scanner has been featured on a phone, the Motorola Atrix had one – but the iPhone is much more popular as a product). Here’s the security and privacy concerns that came up as a result of Apple’s Touch ID and why FIDO may face challenges in seeing mass adoption of fingerprints as security tokens.
Security – it can be hacked
Hackers have claimed victory over the Touch ID security saying it can be easily broken. The crack that many are pointing to is shared by a German group, Chaos Computer Club, which details how they created a fake finger, based on a photo of a fingerprint from the iPhone’s glass surface. Here’s a description of the method:
First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
The hack is demonstrated in a couple of short videos as well as a longer demonstration that showcases the full method. There’s also a step by step tutorial on the club’s site. Below, a demonstration that another person can use a latex mould of a fingerprint to unlock the phone:
Many users may still feel fingerprint security is still good enough. After all, not everyone is adept at making a fake fingerprint out of a latex mould. A fingerprint scan could still protect against access by a casual thief or someone that happens to pick up a lost device. Plus with Apple’s iCloud features, you can remotely lock or wipe a device.
Privacy – the NSA will put me in a database
With the iPhone 5s launching right in the midst of the scandal surrounding the National Security Agency’s (NSA’s) surveillance programs that were overstepping reasonable bounds of privacy, it was inevitable people would both joke about the fingerprint scanner including an NSA backdoor, and seriously fret about it. But the fact is that any useful fingerprint database used for law enforcement has all 10 fingerprints stored in it, not just one or two. Plus, while the iPhone 5s scanner is said to be more detailed than previous scanners on consumer devices, it’s really just storing a few data points to describe that fingerprint, not the detailed scan of it.
For Apple’s part, it says that it doesn’t store fingerprint scans in the cloud, but instead stays on the device. So it would actually be quite difficult for the NSA to collect all those fingerprints from Apple.