Fingerprint authentication: a security risk?

The new Apple iPhone 5s launched this week features fingerprint recognition sensors to unlock the phone and make purchases, but according to an expert in cyber security at the University of Kent the new fingerprint recognition could be subjecting users to more security risks than they realise.

Dr Eerke Boiten from the University’s Centre for Cyber Security Research, said: ‘Following recent revelations by Edward Snowden, it seems a bit unfortunate for Apple to be releasing a new iPhone with fingerprint recognition right now.

‘Security protection on mobile phones in general is weak enough that private data of all kinds can be obtained maliciously. In particular, the recent Snowden revelations suggest that the National Security Agency (NSA) can get at any data on an iPhone if it wants to, with “scripts” specifically aimed at data such as mapping, voicemail and photos. In that context, it is hard to believe that “securely stored” fingerprints could really be much better protected.

‘At first glance, adding fingerprint recognition to phones might appear to be a way of increasing security. It may entice more users to secure their phones: as it currently stands pin code security is left unused by a significant fraction of phone users. It also provides an avenue for “multi-factor authentication”, a modern and more secure way of proving your identity by not only using something-you-know (like a password) but also something-you-are (like a fingerprint).

‘However, like with many other biometrics, the consequences of a fingerprint being “stolen” are significantly worse than with a stolen password. A fingerprint being stolen could compromise all possible future uses of that fingerprint in other applications, as obviously you cannot “get a new one”.’

Dr Boiten continued: ‘We do not actually have to worry about the National Security Agency (NSA) stealing fingerprints in this way – in fact, quite the reverse: of those of us who have been to the US recently, they are certain to have fingerprints on file already through the visa process. Modern EU visas and passports also require fingerprint data. However, if NSA (and other security agencies) can easily get at any data on an iPhone, so can criminals – so storing highly valuable and individual data like fingerprints on a phone might not be so wise.’

However, Dr Farzin Deravi from the University’s School of Engineering and Digital Arts and an expert in biometrics, said: ‘Of course fingerprint sensors on mobile phones are not unique in acting as a privacy threat. Phones also provide voice and face data to potential abusers of privacy. Apple claims that the fingerprint image is not stored on the phone. There have been technologies under development in recent years to enhance the privacy aspects of biometric technologies and these could certainly ensure that only an encrypted version of features extracted from the fingerprint image are stored and used for authentication. However, risks of spoofing attacks remain with the possibility of fraudsters creating synthetic fingers using data lifted from genuine fingerprints.

‘It remains to be seen whether the new release from Apple has indeed managed to find the right balance of usability, security and privacy in one product. The jury is still out!’

Dr Eerke Boiten is Head of the Security Research Group in the School of Computing, and the Director of the University's Interdisciplinary Centre for Cyber Security Research (www.cybersec.kent.ac.uk).

Dr Farzin Deravi is Reader in Information Engineering at the School of Engineering and Digital Arts.

Contact: k.scoggins@kent.ac.uk