The first mobile device to feature a fingerprint scanner was the Motorola Atrix, that launched in 2011. Motorola featured an optical sensor that worked so poorly that Motorola decided to discontinue it with later models.
It wasn’t until Apple first launched the iPhone 5s, that fingerprints started to receive massive adoption from smartphone users. The iPhone 5s featured a capacitive scanner that was cleverly located under the home and essentially kicked off the mobile biometrics revolution that eventually commoditized fingerprints and facial recognition to even the most basic and entry-level models.
Additional biometric modals were soon added such as facial recognition, iris scanning, voice and more. While they do provide a smooth and password-less verification experience, there’s a caveat. All biometrics suffer from one fundamental flaw – unlike passwords that can be replaced, once your biometric features have been compromised and spoofed, there is no way to replace them, unless filling off your fingertips or getting facial reconstruction are viable options. This is also the reason why biometric information such as fingerprints are considered extremely private information and there is a lot of controversy on storing nation-wide, centralized biometric depositories as they tend to draw a lot of attention from malicious actors. Just consider the hack to India’s biometric repository containing personal information of over a billion citizens. Compromised individuals would never feel secure again using their fingerprints or iris scans as a method of verification, as this data could already be on sale for a dime-a-dozen in the dark web, paving the way to identity theft of the compromised individuals.
The frictionless factor is not the only one in play here – users are also not required to memorize passwords when using biometrics, which removes a lot of “mental friction” and frustration of having to manage multiple passwords. Although this is not entirely true since mobile biometrics are stored on device, and any time a user wishes to “bind” a new device to their account, they are required to enter their password once more – we’ll touch on that a bit later in the article.
Lastly, there is the security factor – passing around biometrics is a lot more difficult than giving away a password. Although in some cases this may not be entirely true as we will soon describe. In addition, with mobile biometrics there is also the PIN Code fallback, that appears after being rejected by the biometric system. This essentially means that the security level of mobile biometrics are equal to that of a standard, 4-digit PIN Code.
Biometrics are also susceptible to spoofing (AKA presentation attacks) since they use visible features such as face, fingerprints or voice. One of the most disturbing examples was demonstrated by Jan Krisller, a biometrics specialist from Germany. Jan managed to recreate the iris features required to successfully verify no other than Angela Merkel, the chancellor of Germany. Jan didn’t have to work too hard, as the data was publicly available online for anyone to download and exploit. Link to the article: https://www.scmagazineuk.com/starbugs-eyes-german-hacker-spoofs-iris-recognition/article/1479198
Nowadays with the COVID-19 epidemic biometrics are facing additional challenges, such as facial recognition limitations – as people have been accustomed to wearing masks. Or the mass market of public fingerprint scanners, that took a huge blow as people refrain from physically touching surfaces in public – see article.
Did you know that aside from being super delicious (my own humble opinion), gummy bears can also be used to hack fingerprints? See it live in this YouTube video:
Facial recognition is no different - according to a study that was done on 110 different devices, in 4 out of 10 facial recognition can be circumvented using just a 2D photo or video. An example can be seen in this video of a Samsung S10 being unlocked using a video: https://youtu.be/BGgQ9woZQOg?t=157
How can Verifyoo help you?
This allows Verifyoo to store the data centrally or on the cloud and provide full flexibility to our clients, as they can utilize the centralized identity to verify users from practically any mobile device or platform.
For more information visit: https://www.verifyoo.com