Over a year ago I wrote a piece for Forbes that warned of serious security concerns created by the Apple iPhone’s TouchID fingerprint authentication; I speculated then that hackers could gain unauthorized access to users’ data by using lifted fingerprints. Days later, hackers successfully did just that.
This week, Qualcomm announced a new smartphone fingerprint authentication technology that might offer dramatic improvements over TouchID. The new offering leverages sound waves to create and analyze a detailed three-dimensional replica of a user’s fingerprint, something that cannot be impersonated simply by lifting prints off the side of a phone, as can commonly-used two-dimensional prints.
Aaron Tilley has a piece in Forbes that describes Qualcomm’s new offering and its potential advantages over TouchID.
While the benefits of 3-D fingerprint authentication on smartphones may be substantial, I still have several serious concerns about the use of fingerprints on smartphones:
1. The most obvious concern is that the system may not work as well as people expect; there were claims in 2013 that TouchID would also perform 3-D analysis to avoid being tricked by images of lifted fingerprints; such claims obviously did not hold up to hackers. Time will also tell how significantly inaccuracy impacts people leveraging the new technology; in general, fingerprint-based authentication suffers from a problem that either legitimate users are going to occasionally be denied access, or inappropriate users are going to sometimes gain unauthorized access.
2. In many jurisdictions, if you secure your phone with a fingerprint police have the right (without any warrant) to force you to unlock your phone and let them inspect its contents, but if you secure your phone with a password law enforcement has no such right. This may sound crazy, and counterintuitive, but it is the law.
3. Despite assurances that collected fingerprint data is never actually transmitted from the phone and is processed only in an area separate from the operating system, there remains the risk that criminals may find ways to get to the data. Unlike passwords, fingerprints cannot be reset – if a criminal obtains a fingerprint along with the user’s identification information he can potentially use it to steal the user’s identity and commit crimes for decades; evildoers certainly have the incentive to look for ways to steal this information, and will likely invest in technology to do so. Once people are conditioned to trust a phone fingerprint reader, for example, couldn’t criminals potentially sell slightly modified-internally devices on the secondary market and capture actual fingerprints?
4. What would happen if some government “asked” phone manufacturers to create a back door to store or send it fingerprint information, and to lie to the public with denials of the existence of such a program. Considering the news of the past few years such a scenario seems far from impossible.
For the foreseeable future I’ll be securing my phone with a password.
This article was written by Joseph Steinberg from Forbes and was legally licensed through the NewsCred publisher network.