​Biometrics: The password you cannot change

Having the same password for everything is a big no-no in the security world, so what makes biometrics any different?
Written by Aimee Chanthadavong, Contributor

We've all seen the sci-fi films where a person walks up to a retinal or fingerprint scanner for authentication before a door slides open.

But biometric security is no longer science fiction; it's available right now on our smartphones, whether it's an Apple iPhone or one of the many Android handsets.

Since 2010, the Department of Immigration and Borders as well as Customs have been collecting fingerprints of foreigners from certain parts of the world applying for particular visas to stay in Australia, and in some cases require DNA tests.

During the 2015 federal budget, the federal government allocated AU$164.8 million over four years to the immigration department to spend on designing and scoping new IT platforms for travellers' biometric data and visa information.

The federal government also allocated AU$700,000 to CrimTrac for the development of its Biometric Identification Services system business case. The system is expected to eventually replace CrimTrac's automated fingerprint ID system.

Even some of Australia's banks are tapping into using it as a security option for users to access their online banking. Recently, Suncorp Bank announced it introduced Fingerprint Login to its mobile banking app, which leverages Apple's biometric technology to allow customers with compatible iPhone and iPad devices to log into their accounts at the touch of a finger.

Suncorp Bank digital banking manager Simon Clarke said the introduction of Fingerprint Login supported customer requests for quicker access to account balances and mobile banking services.

"40 per cent of our iOS customers already have a fingerprint ready device and are looking for more streamlined security options to manage their money on the go.

"The integration of fingerprint identification simplifies the user experience by offering another option for our customers to access the Suncorp Bank Mobile Banking App quickly and securely, without the need to remember a password or continually enter a passcode," he said.

Similarly, Commonwealth Bank's introduced Touch ID for CommBank users, enabling them to sign in to the app with their fingerprint instead of using a four digit PIN to access their accounts.

Biometrics Institute CEO Isabelle Moeller said increasingly biometric authentication is being used for the purpose of easing the burden of security when it comes to simplicity and usability.

"Their use offers consumers great convenience and increased security at the same time. We are seeing a growing number of wearable devices and the use of fingerprint biometrics on mobile devices," she said.

"With a biometric on a wearable device, users are now able to query that device and authenticate themselves as the user of that device."

But exactly how secure is it?

Recent research by FireEye outlined that hackers can remotely attack our smartphones and steal fingerprints on a "large scale", without anybody noticing. The research said the threat is mainly confined to Android devices, such as Samsung, Huawei, and HTC devices, that have fingerprint sensors. The research suggested the reason is because the device makers have not fully locked down the sensors, making it vulnerable to being attacked.

FireEye researcher Yulong Zhang explained the fingerprint sensor on some devices is only guarded by the "system" privilege instead of root, making it easier to target and quietly collect the fingerprint data of anyone who uses the sensor.

"In this attack, victims' fingerprint data directly fall into attacker's hand. For the rest of the victim's life, the attacker can keep using the fingerprint data to do other malicious things," he said.

On occasions when malicious attacks do occur, people are often able protect themselves again by changing their unique passwords or replacing a credit card. But IBRS advisor and IT security industry analyst James Turner told ZDNet that when it comes to biometrics being stolen, it's not possible for it be revoked, which he says should be a concern for many.

"I can get more credit cards, but I can't get more fingerprints," he said.

Turner suggested that biometrics should only be used as an authentication for local devices, which he said makes Apple's Touch ID unique and the "perfect way" of using biometrics.

He said when a person's fingerprints are checked by the cryptographic chip on the Apple device, the information becomes linked to a person's Apple ID, but that information stays only on that particular device. According to Turner, this means if a person loses their Apple device, no one else can use the saved credentials from a different device.

Turner made this observation in a discussion paper titled Consumerisation of biometrics will result in obsolescence, highlighting that most biometric deployments will "not be well executed, and the failures of these systems will impact the feasibility of biometrics as a means of authentication".

"You're using one password which you're storing in plain sight, and then you're using it against a whole range of different services, potentially, which is insane. Everyone says avoid password repetition or reuse, so why on earth would you be setting up a biometric system that does exactly that?" Turner said.

Similarly, FireEye's Zhang said that Apple's iPhone, which pioneered the modern fingerprint sensor, is "quite secure," as it encrypts fingerprint data from the scanner.

"Even if the attacker can directly read the sensor, without obtaining the crypto key, [the attacker] still cannot get the fingerprint image," he said.

Steve Wilson, Constellation Research vice president and principal analyst, and Lockstep Group founder, said biometrics is still too immature to be used for security, and believes that a national standard needs to be set to define a secure level for biometric technology use.

"Security is a very conservative business...and if we're going to start using biometrics for 'serious applications' to protect high risk or valuable assets, then we need to probably slow down a little bit and be more cautious and sceptical," he said.

Moeller added that like any form of security technology, including PINs and passwords, there are flaws.

"When subject to a determined attack, none will guarantee absolute security. Most biometrics are not 'secret' and should be used with a secure second factor," she advised.

"Security relies not only on one factor but on combining them, such as relying on a PIN and fingerprint. There are a number of technologies, both software and hardware that can be used to detect such spoofing attacks."

Editorial standards