The first mobile device to feature a fingerprint scanner was the Motorola Atrix, that launched in 2011. Motorola featured an optical sensor that worked so poorly that Motorola decided to discontinue it with later models.
Motorola Atrix
It wasn’t until Apple first launched the iPhone 5s, that fingerprints started to receive massive adoption from smartphone users. The iPhone 5s featured a capacitive scanner that was cleverly located under the home and essentially kicked off the mobile biometrics revolution that eventually commoditized fingerprints and facial recognition to even the most basic and entry-level models.
Additional biometric modals were soon added such as facial recognition, iris scanning, voice and more. While they do provide a smooth and password-less verification experience, there’s a caveat. All biometrics suffer from one fundamental flaw – unlike passwords that can be replaced, once your biometric features have been compromised and spoofed, there is no way to replace them, unless filling off your fingertips or getting facial reconstruction are viable options. This is also the reason why biometric information such as fingerprints are considered extremely private information and there is a lot of controversy on storing nation-wide, centralized biometric depositories as they tend to draw a lot of attention from malicious actors. Just consider the hack to India’s biometric repository containing personal information of over a billion citizens. Compromised individuals would never feel secure again using their fingerprints or iris scans as a method of verification, as this data could already be on sale for a dime-a-dozen in the dark web, paving the way to identity theft of the compromised individuals.
The Good
Mobile biometrics have definitely set a new bar for user experience and
convenience compared to conventional methods such as passwords and OTPs. Great
efforts are made to prevent even the slightest of friction – the FaceID is a
great example of this. While TouchID provides an almost seamless experience, as
the user merely has to use the HOME button to unlock the device, as they have
always done. But Apple continued to invest resources to make this experience
even more seamless, when they introduced the FaceID that only requires a quick
glance and BOOM! The device is unlocked and ready for use. Similar efforts are
being made by all device manufacturers and Apple are not alone in this race.
The frictionless factor is not the only one in play here – users are also not required to memorize passwords when using biometrics, which removes a lot of “mental friction” and frustration of having to manage multiple passwords. Although this is not entirely true since mobile biometrics are stored on device, and any time a user wishes to “bind” a new device to their account, they are required to enter their password once more – we’ll touch on that a bit later in the article.
Lastly, there is the security factor – passing around biometrics is a lot more difficult than giving away a password. Although in some cases this may not be entirely true as we will soon describe. In addition, with mobile biometrics there is also the PIN Code fallback, that appears after being rejected by the biometric system. This essentially means that the security level of mobile biometrics are equal to that of a standard, 4-digit PIN Code.
The Bad
So, what do we have so far? No need to memorize passwords, frictionless
experience and improved security. It seems that the industry has finally
figured it out, right? WRONG!
Let’s start with the main limitation of mobile biometrics – since the
biometric data used is extremely sensitive, it is problematic to store it in
the cloud or in central location, therefore these technologies are purely
client-based. What this means is that the user needs to re-enroll on every
single device they use, as oppose to a one-time enrollment (which is the case
with Verifyoo). When re-enrolling on each device, for instance for banking
applications, the password is once again required and along comes with it all
the problems of password recovery and management.
Biometrics are also susceptible to spoofing (AKA presentation attacks) since they use visible features such as face, fingerprints or voice. One of the most disturbing examples was demonstrated by Jan Krisller, a biometrics specialist from Germany. Jan managed to recreate the iris features required to successfully verify no other than Angela Merkel, the chancellor of Germany. Jan didn’t have to work too hard, as the data was publicly available online for anyone to download and exploit. Link to the article: https://www.scmagazineuk.com/starbugs-eyes-german-hacker-spoofs-iris-recognition/article/1479198
Surprisingly, fingerprints are no different and Jan also managed to
recreate the chancellor’s fingerprint features and bypass the biometric
verification. Researchers from Japan even concluded that fingerprint features
can be easily extracted from peace-sign selfies, see the article here: https://www.theregister.co.uk/2017/01/12/fingerprint_photographs/
Unsuspecting victim of fingerprint identity theft
Settings aside spoofing issues, biometrics also do not require the user’s
consent during the verification process. The perfect example can be seen in
this article,
where a 7-year old bypassed his father’s iPhone fingerprint lock while he was
sleeping, to make purchases in the iTunes Store. In this case the damage was
several hundreds of dollars, but it could have ended much worse. Facial
recognition can also be used to track and spy on individuals without their
consent.
Nowadays with the COVID-19 epidemic biometrics are facing additional challenges, such as facial recognition limitations – as people have been accustomed to wearing masks. Or the mass market of public fingerprint scanners, that took a huge blow as people refrain from physically touching surfaces in public – see article.
The Ugly
Aadhaar is India’s national biometric system as well as the largest biometric
ID system in the world. Unfortunately, it keeps getting hacked - https://www.vice.com/en_us/article/43q4jp/aadhaar-hack-insecure-biometric-id-system
Did you know that aside from being super delicious (my own humble opinion), gummy bears can also be used to hack fingerprints? See it live in this YouTube video:
https://youtu.be/BwTR7z57wVk
But that’s not all, there’s a variety of methods to spoof fingerprints,
in this article
you can get a closer look on 7 different ways to beat fingerprints.
Facial recognition is no different - according to a study that was done on 110 different devices, in 4 out of 10 facial recognition can be circumvented using just a 2D photo or video. An example can be seen in this video of a Samsung S10 being unlocked using a video: https://youtu.be/BGgQ9woZQOg?t=157
How can Verifyoo help you?
Verifyoo carved on its flag “Privacy, Security and Usability.” The data
used by Verifyoo’s verification systems does not include any PII (Personal
Identifiable Information) and conforms to the privacy requirements and
regulations (e.g., GDPR, California Privacy Act).
This allows Verifyoo to store the data centrally or on the cloud and provide full flexibility to our clients, as they can utilize the centralized identity to verify users from practically any mobile device or platform.
For more information visit: https://www.verifyoo.com
This allows Verifyoo to store the data centrally or on the cloud and provide full flexibility to our clients, as they can utilize the centralized identity to verify users from practically any mobile device or platform.
For more information visit: https://www.verifyoo.com
To schedule a demo: https://www.verifyoo.com/Verifyoo/#contact-section