...stuff I do and things I like...

Monday, September 25 2017

Biometrics and Smartphones

since I always rant about how I don't like biometrics in smartphones some people have asked me to formulate what I actually would like to see to happen in this area.

My dislike for biometrics is that you cannot change your password anymore because your password is your finger, eye (iris), or face. That means you basically show you password to everybody. A good example of this is here: Politician's fingerprint 'cloned from photos' by hacker.

The second part of the problem is that many biometric systems can be easily bypassed, some face recognition systems even with a picture shown on a smartphone screen.

My main issue is that biometric systems can be bypassed by forcing the owner of the device to unlock it. This can be done without leaving evidence, a funny example of this issue: 7-Year-Old Boy Uses Sleeping Dad's Finger To Unlock iPhone. Also see this interesting case: Court rules against man who was forced to fingerprint-unlock his phone.

The main argument I always hear is that people who wouldn't set a password (or use just a simple PIN) are using biometrics and therefore are more secure now with the help of biometrics. The kid from the previous story wasn't stopped by biometrics it was just as good as not having a password.

What would have stopped the kid from unlocking his dad's phone? A simple timeout! Basically what I want to see is a timeout for your biometrics. Once you entered your password you can unlock your phone using biometrics, after a specific amount of time you have to re-enter your password and cannot unlock the device using biometrics. With a timeout of say 30 minutes to one hour you can prevent simple attacks while still being able to use the convenience of biometrics. Apple recently introduced the SOS mode that will also disable biometric authentication until you enter your password. I wish this was taken one step further and let you set a timeout.

I personally see biometrics on a smartphone as a pure convenience feature and treat it as a weak security feature. I only use it for ApplePay.

I think it is pretty bad to get people used to biometric authentication, Apple may get it right but other companies wont. Normal users can't determine this easily. Also how much did the additional hardware components cost to implement fingerprint authentication or face recognition. FaceID doesn't use a normal camera so there are definitely additional costs that you as the user have to pay for this convenience feature.

Face recognition in consumer products also gets people to accept this as an normal everyday thing and thus helps the argument for face recognition being used in surveillance.