Remember when Apple introduced Touch ID for its devices? Rather than typing a numerical password, a user could program his or her fingerprint into the device to lock and unlock it. Many thought it was a very innovative approach to device security and at the time of its announcement, some believed it was a new era of device security.
Image Credit: Leszek Leszczynski, Flickr
Here are a couple examples of the announcement coverage around Touch ID:
The fingerprint data is never available to other software, and it is not backed up to Apple's servers, leaving it stored entirely on the device in a secure fashion.
All fingerprint information is encrypted and stored securely in the Secure Enclave inside the A7 chip on the iPhone 5s; it’s never stored on Apple servers or backed up to iCloud.
Following the introduction of Touch ID, other mobile device manufacturers followed suit and added their own fingerprint authentication.
But has fingerprint authentication lived up to the security premise that some hoped for and believed in? Probably not. In reality, it’s likely no more secure than a traditional password. So when we saw the below article recently following discussion of the topic at Black Hat 2015, we weren’t surprised.
Security Experts Warn Against Using Fingerprints as Passwords
One of the researchers quoted in that article, Yulong Zhang of FireEye, stated, "If you leak a password, you can just change it; if you leak a fingerprint, it's lost for your whole life.”
He makes a great point. Add to that the fact that fingerprints are public - they’re on anything you touch. Very easy to copy since it’s possible to lift a fingerprint off most surfaces.
As a company that focuses on authentication, we never believed that biometric authentication, such as fingerprint scanning, was the security of the future. That’s not to say it’s all bad. When combined with some other form of authentication, such as a traditional password, biometric can be good. When it’s a standalone authentication method though, it doesn’t work as well as we think it might in our heads.
The real learning from this article is that the best method for securing access is using multiple forms of authentication. Two factor authentication should be the baseline. If you can require more than that, that’s even better. Don’t get caught with only one authentication method. That’s a recipe for problems.
Comments