Biometric Badness

23 September 2013

There’s nothing quite like the slick, high tech (when it works, at least) feeling of swiping your finger to unlock your devices. It’s fast, it’s convenient, and it feels futuristic, which explains why there are so many laptops that are capable of authenticating users via their fingerprints. Unfortunately, using fingerprints as a “more secure” login system should have been a short time fad. Although the technology continues to improve, it provides a false sense of security.

Why is this significant now? The technology has been embedded in laptops for some time - I have one too - but Apple is the first to put it on a phone which, if the past is any indication, will cause it to make its way into other phones as well. In terms of the implementation of it, from what I have read it sounds fairly sound. Fingerprint data is hashed (converted to an irreversible string of data that looks nothing like a fingerprint) and stored in a dedicated area on the iPhone. iOS has access to this only to ask if a fingerprint is valid or not and other apps don’t have access to the reader or to stored fingerprint data. That’s not to say that won’t change in the future, but that is the case for the iPhone 5s.

Mobile devices pose an increasing privacy risk for their carriers as well as their contacts, since most (smart)phones are now able to carry a contact list, logged-in applications, credit card numbers, and all manner of other things. Far too few people secure them adequately, opening up routes for invading privacy and stealing money. There are far too many stories of someone’s phone being stolen and accounts being hacked into, or the thief running up hundreds of dollars in data use. There’s a number of ways to make it somewhat more difficult for a thief to gain enough access to a phone be it with a PIN code, password, or what-have-you depending on your device. By adding TouchID to the iPhone, Apple has provided yet another method that hopefully more people will make use of.

The issue with using fingerprint data for authentication is that unless we walk around wearing gloves, we leave our fingerprints on everything we touch. Most significantly - right on our keyboard or phone touchscreen; conveniently right next to the thing that reads them and logs us in. In consumer electronics, the readers aren’t tremendously difficult to fool by lifting the fingerprints and making copies. Some readers can even be fooled with a conductive print of the lines from the fingerprint. Apple’s reads fingerprints at a much higher resolution (they say), but even that one has been fooled.

While we should provide more ways to secure devices so that more people are inclined to use them, providing a false sense of security with flashy biometric readers is unsafe. While it keeps out the casual thief - hopefully - too many people and even companies consider fingerprint data to be far more secure than it actually is. Phones are a difficult devices to provide good security for because of how easily they’re lost or “borrowed,” and if more people choose to use any security at all it’s better for all of us. Let’s be careful with trusting them with anything highly secure, however.

Care about what the web is doing to our minds? Check out my book, The Thought Trap, at

• • •

Stay updated by email
or, grab the feed

Found something wrong? Get in touch.

Share this