Tuesday, May 20, 2014

Security 103: Biometrics for Mobile

Article 3 of 3

In this multipart series, I will examine the various aspects of what we call "security" in the Digital Age, and how we can protect ourselves from the exploits of others.

The Promise of Biometric Security

Biometrics (in relation to digital security) is the ability to recognize unique physical features of your body, for purposes of authenticating identity.  For example, you have unique fingerprints, a unique pattern of blood vessels in your retina, a unique heat signature on your body, a unique face, etc.  The reason Biometrics is an area of research and interest - as pointed out in previous Security 100 series articles - is that the old methods of user name and password have a very low security level (and by "old" I mean they still account for more than 90% of the authentication methods but they shouldn't be used anymore!).

Augmenting or replacing the password with biometric identification increases security to the point where only professionals have the knowhow, equipment, and funding to break (or hack) your security.  Further, it can even make it easier for the right person to unlock what they need access to.  Instead of having a simple password that is easily remembered and guessed, you can have a very complex one - and use your body to unlock it.  If it gets into the hands of someone else, if you give them the password they can unlock it - if not, good luck guessing.

When it comes to digital security, advances have been made in recent years in some of these forms of identification.
Apple's Touch ID sensor built into the home button
  • Fingerprint scanners have been widely available on laptops and PC keyboards for many years - however you have to swipe your finger along a bar.  Apple's new TouchID provides the ability to recognize upon touch at any orientation, a major advance.
  • Retina scans have made only small progress toward practical applications - with the dream of Star Trek's "Identify for retina scan... Kirk, Admiral James T." still years away.
  • Facial recognition is offered by some devices.
  • Precious little else has emerged as practical technology.
So, what is available in a mobile device?

Fingerprint Scanners

An external bar-type fingerprint scanner, also the
 same type as those built into some notebook models
The typical fingerprint scanner deployed in computing (PC's and some smart phones) is a flat bar that you run your finger by.  If your finger is dirty, or you run it unevenly, or at the wrong orientation, or something out of the ordinary - it tends to not work.  Some scanners allow you to place the entire fingertip on a screen and scan at once, but these are bulky and do not lend themselves to small, especially mobile applications.

One exception, though, is Apple's TouchID introduced in the iPhone 5S.  With this product, it is ultra-slim, and extremely fast.  You place your fingertip on it in any orientation, and it performs a scan using electrical signals that detect not just the surface of your skin in contact with the sensor, but via electrical conductance a bit deeper scan.  And, it does it almost instantly.  This is the type of experience that users find seamless and desirable.

Soon after the availability of the iPhone 5S, hackers announced they had spoofed TouchID - but the cost, equipment, and technical expertise required meant that it would not be a common occurrence. 

Facial Recognition

While visiting a customer recently, he showed me how his Android phone unlocked the screen when his face is held up to the camera.  However, it took me all of 5 seconds to spoof it, by taking a picture of him with my phone, and holding my phone's screen up to his phone's camera.  I very strongly do not recommend using this feature with any expectation of security.  It is only a convenience to avoid entering your password - so if you only have that expectation, you will be fine.  Also, if you plan on using it while driving, you would have to look at the camera to get the same expression that is recorded, or the accuracy rate drops significantly.  TouchID, on the other hand, can be done by feel, eyes free, so appeals to me as a safer technology for use while doing other things.

In addition, facial recognition is very faulty when it comes to image quality, lighting, and other visual issues.  Sometimes it had to be retried - and if you can imagine this as a solution to unlock your device easily while driving, this is not the way to go.  Then, if you can imagine that it is easy to reproduce images, use makeup and costumes to mimic faces - I don't see this as practical.

Forget Facial Recognition as a viable solution to biometric security.

What Else?

In lieu of any other technology that works well enough to be inexpensive and mass producible, let alone small enough to put on a phone (although now you have phablets...ugh I hate that word and the thought of a communication device too big to fit in your pocket), there really is nothing else in the form of biometric security today.

No comments:

Post a Comment