Biometrics-based access controls measure a physical feature or something produced by a human. For example, fingerprint characteristics are a measure of physical features; voice recognition or typing analysis are forms of biometrics created by human action.
The fingerprint or other characteristics are not themselves stored. Rather, an algorithm converts characteristics to a numeric value, which is stored in a secure location. This is done during registering a user with a biometrics solution. When the user presents his or her measured characteristic to a sensor for future access, the algorithm once again converts it to a value and compares the new value to the stored value. If they match, identity is verified and authentication is successful.
The process of using fingerprints for identity verification is open to forgery. For example, some scanners are fooled with fingerprints created with a printer or gelatin cast. The security of a sensor depends on the time and effort devoted to development, the algorithm used for characteristic-to-value conversion, and the balance between false positives and false negatives: the crossover error rate. Balance is either built into the system or managed by the user/administrator.
Finally, sensors don't always work as expected. Damaged or dirty sensor surfaces can be big issues. In addition, changes to fingerprint characteristics due to injury or other causes can cause biometrics solutions to deny a user access. Another challenge is the longevity of a fingerprint. While users can change passwords or PINs regularly, undamaged fingerprints remain the same forever.
Apple's fingerprint sensor on the new iPhone 5s comes with all these challenges.
The new iPhone, to be released on September 20, has a fingerprint sensor built into the home button. (See Apple's Touch ID YouTube video… please excuse the marketing hype.) In addition to enabling easy security with quick access, rumors abound as to whether this is a first step toward NFC implementation: something still missing from the 5s. But along with advantages of ease of use come all the challenges of single-factor biometrics authentication, including forgery, false negatives, and employee mistrust of biometrics.
Apple does the right thing by storing the converted biometrics measurement in a secure location on the iPhone: the new A7 chip. It is never shared outside the phone. Although this is good news, it still doesn't prevent fingerprint forgery. How well the iPhone handles forgeries is still unknown. However, I expect we'll see how easy—or hard—forgery is as hackers aggressively go after this new opportunity.
Forgery defense is best mounted by using a second authentication factor (Olzak, 2010). For example, in addition to fingerprint verification, a password is used. Using two-factor authentication is not a viable solution for many organizations. However, when highly sensitive data is involved, it is the best protection. Two-factor authentication can decrease the probability of unwanted access to levels recommended by associated risk assessments (Olzak, 2012).
False negatives occur when the fingerprint verification process incorrectly rejects a registered print. Employee frustration runs high when access to a device is blocked due to technical failure. Blocked access to a phone will raise employee annoyance to new highs. Apple deals with this by requiring the creation of a PIN at the time of fingerprint registration that provides a workaround when biometrics fails.
Many users will resist using Touch ID. The myth persists that someone, especially the NSA or other government agency, will grab fingerprint data for nefarious purposes. If an iPhone vulnerability exists that allows theft of fingerprint values, it will be useful for bypassing the actual fingerprint. However, attacks of this nature usually require special technical resources. The advantages of Touch ID outweigh the risks. User education is an important part of implementation, including the fact that Apple encrypts the values before storing them in a secure location.
None of Apple's Touch ID controls works well when an iPhone is physically in the hands of an attacker. Fingerprint biometrics combined with a password is no replacement for Internet-based device location and data destruction services, such as Apple's Find My iPhone and McAfee's Mobile Security. It also doesn't replace controlling with automated policy enforcement (e.g., MobileIron and Good Technologies) what users can do and store with their iPhones. Apple's Touch ID does not supplant layered mobile security controls.
- Touch ID provides the means to secure user iPhones while providing quick access. Security controls supporting Apple's fingerprint biometrics include fingerprint value encryption, requirement for a PIN during registration, and storage of Touch ID information in the A7 chip.
- While Touch ID is an innovative step toward securing mobile devices, it suffers from the same vulnerabilities as other fingerprint identification solutions: forgery, sensor challenges, and user resistance.
- No single control is enough to protect sensitive data; this applies to all devices, including the iPhone. In addition to remote destruction of data on lost or stolen devices, controlling what users can access, what they can do with the data accessed, and implementing multi-factor authentication where appropriate still remain important controls supporting any fingerprint biometrics implementation.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.