Let's face it: biometry is a bad idea

Let's face it: biometry is a bad idea

The iris scanner on the Samsung Galaxy S8, Face ID on the iPhone X and the fingerprint scanner on every smartphone all suffer from the same flaw: Biometry isn’t secure. You have one face, two eyes and ten fingerprints which can’t be changed if compromised, at least not as easily as a password.

When it comes to keeping your smartphone locked down, there’s always a tradeoff between convenience and security. For example, when one of my colleagues tried the LG Q6’s facial recognition feature, he was able to unlock the smartphone by holding up another smartphone with a picture of himself. Once he enabled the rather sluggish advanced face recognition feature, this 2D trick didn’t work anymore.

Even the more sophisticated Face ID from the iPhone X can be tricked. In less than a week, and for less than $150, researchers at a cybersecurity firm managed to create a (very scary) mask that was able to beat Face ID. Even without intending to, family members can breach each others’ iPhones in some cases. A ten-year-old boy was able to unlock his mother’s iPhone X due to their strong resemblance, and Face ID is easily fooled by identical twins.

Fingerprints are even easier to copy than faces since you leave them behind everywhere offline and, sometimes, online. If you look closely, you can see a fingerprint clearly in the photo below, so it could theoretically be copied. Once your fingerprint has been scanned, if it isn’t stored securely, the digital representation of your fingerprint could be stolen. Even though fingerprints are unique and can’t be guessed like some simple passwords, they can still be compromised easily, and you’ve only got ten of them.

AndroidPIT bluetooth headset 3707
Fingerprints are everywhere. / © NextPit

Smartphone manufacturers go to great lengths to keep your fingerprint data secure. Here’s how: Apple’s Touch ID saves a mathematical representation of your fingerprint rather than a scanned image of the print itself, encrypts it and stores it on the device itself without backing it up to the cloud. From there, your fingerprint data is only accessible with a particular key, which is then only accessible to what Apple calls the Secure Enclave chip, an ARM-based coprocessor used to strengthen iOS security. On Android, fingerprint data manipulation also requires a device-specific key and is compartmentalized for safety, handled inside the Trusted Execution Environment area of the device’s main processor.

Despite manufacturers’ strong efforts to keep your fingerprint and other biometric data secure, you still leave fingerprints behind everywhere you go and your face is always ready to be caught on camera. Since you can’t get around this basic flaw of biometry as a means of security, it makes sense to turn to other options. PIN codes and swipe patterns aren’t secure because they can easily be revealed by the oil and dirt smudges on your smartphone’s display glass. The best alternative is simply a strong password. That means using letters, numbers and symbols, and also never reusing the password.

How do you keep your smartphone secure? Do you value security over convenience?


Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • Craig Lewis Nov 28, 2017 Link to comment

    One issue is that legally, you can be compelled to unlock your phone if it is secured by fingerprint, but not if it is secured by a pin or password.

    • Brittany McGhee Dec 7, 2017 Link to comment

      That's a great point, Craig! Thanks for the comment!

  • Dean L. Nov 24, 2017 Link to comment

    I use both a pin and fingerprint. Fingerprint for speed and ease of use, pin for all others. But really only a strong password truly does the job without a biometric sensor being used.

    Deactivated Account

  •   31
    Deactivated Account Nov 23, 2017 Link to comment

    pin to start with no chance of reading tell tale smudges due to obsessive constant screen wiping..
    but I'm ok with biometrics as long as the tech works and it's easy and secure, basically against loss or theft of device.

  • Mike Nov 23, 2017 Link to comment

    Nothing is truly secure, except not owning a cell phone

Write new comment:
All changes will be saved. No drafts are saved when editing