Samsung's fingerprint flop latest biometric cautionary tale

Summary:Samsung's Galaxy S5 latest to signal that biometrics still not a solid answer on authentication

Last year it was the Apple iPhone 5s , this week it was the Samsung Galaxy S5. Both fooled by similar fingerprint reader hacks and leaving the biometric debate with another failure to chew on.

It doesn't come as a surprise the method of the hack is as similar as the 5s/S5 names printed on the devices. Another year of research by Samsung couldn't come up with anything better against a well-understood hack that dates back to the infamous "Gummy Bear" days.  (Japanese cryptographer Tsutomu Matsumoto used gelatin, the ingredient in Gummy Bears, to forge a replica finger that fooled 11 fingerprint scanners during tests in 2002.

Biometrics have potential and promise, but what they don't have today is universal confidence among those in the security community. A truth that also should be part of the end-user community.

But it's not all on biometrics, every other authentication technology has it's own flaws (looking long and hard at you passwords). Like most, they are designed for convenience, not the type of security that the B2C and B2B Web is finding it can't live without in the face of relentless hacks.

These biometric flaws, however, take a new perspective when biometric authentication methods are coupled with say financial transactions.

In the Samsung case, its fingerprint scanner has a higher risk ratio than the iPhone in that it is paired with PayPal transactions. Apple doesn't let its fingerprint technology wander off its own platform , which may be as much a statement on the technology as it is on Apple's platform superiority complex.

In its defense, PayPal appears only to have guilt by association (and perhaps a questionable quick-draw partnership) as the company has said it does not store or have access to fingerprints on the device and that its security extends beyond mere authentication into fraud and risk management tools and purchase protection policies.

What the fingerprint failures do confirm is that biometrics still need work. In addition, the hacks hint that two-factor authentication (2FA), while gaining favor as an improvement over passwords, may need to include more authentication factors. This is known as multi-factor authentication (MFA).

Those factors may include biometrics - iris, voice, facial recognition, heartbeats and brainwaves, but could extend to sensors and wearables, such as the Fitbit Flex.

While 2FA does improve security, today's device happy users - who might be accessing an application from the same Smartphone that is their "second-factor" - may be negating any tangible gains.

Security experts say two-factor is most secure when the second factor is "out-of-band."

Last year, Gunnar Peterson, managing principal at Arctec Group, told ZDNet , "The smartphone has the ability to simultaneously weaken two-factor because you are going to be using Facebook, Google, Twitter from that device, and is that really another factor if you are pushing your credential back through it. Just because that happens on another channel, is that really as secure as something like a smart card."

Discussions have turned to MFA, especially with the rise of wearable computing, another factor like the phone that end-users want and are dedicated to carrying.

Those devices can provide geo-location information, activity and status. A Fitbit Flex might be used to record a series of pre-subscribed arm motions. And geo-location may determine that you are using your laptop (and waving your arms) in your house or office.

These are technologies in progress in terms of authentication methods, but the result is that a combination of contextual information may ultimately be the best way to determine that you are who you say you are. Of course, hackers will set in motion the test of time against all of these authentication ideas just as they have done in the past.

Topics: Security, Networking

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.