Putting a finger on access control

The new iPhone 5S launched last week uses Apple’s Touch ID fingerprint authentication. The technology is super convenient, simply by holding a registered finger to the smartphone’s button, provides access to the device. Some individuals have registered their toes, nose and nipples and who knows what other body parts. One guy even registered his cat’s paw. It may be a little awkward unlocking a phone in public using some of these techniques however.

As biometrics enters everyday use, users should be aware of the upsides and shortcomings.

Advantages:
– A fingerprint is unique
– Your fingerprint is always with you
– Fingerprint scanners can be highly accurate
– Fingerprints are the most developed and widely-used biometrics
– Easy and convenient – no password to remember
– Small storage space required for the digital representation of fingerprints

Disadvantages:
– You leave your fingerprints all over the place
– Once stolen, it can be a problem – you can’t change your fingerprint like you can change a password or PIN
– Some feel that fingerprint scanning is an infraction of human rights because of the association with criminals
– Scanning errors from skin dryness, sweat, or dirty prints
– Concerns that criminals may sever fingers in order to gain unauthorised access

Last week, one of our mobile developers arrived at work with his thumb heavily bandaged. He had an accident whilst shaving. We squirmed as he described how his triple-blade razor had taken three deep layers off his finger. This accident would have caused a problem had it been his authentication digit.

As an authentication mechanism, a digital representation of the fingerprint needs to be stored somewhere. This is not necessarily a digital copy of the fingerprint, but a digital record derived from measurements between various prominent features of the fingerprint. Once the digital file is stored, it can be stolen. On the iPhone implementation, Apple assure us that the fingerprint data is only stored locally and not on a central server. However there are still many unanswered questions. Is it only the hash of the fingerprint data which is stored?

Within a day or two of the iPhone launch, the fingerprint scanner was successfully hacked, as demonstrated here. I have not yet seen any evidence of a photocopied finger accessing the 5S, but I suspect that it will work.

A digital representation of a fingerprint contains data derived from skin minutiae – the details of the ridges, and other fingerprint characteristics such as whorls, bifurcations, ridge endings, ridge cores and deltas. The sensitivity of the biometric can be varied by altering the number of points detected by the sensor. Typically, fingerprint scanners track around 40 data points. If the system is too sensitive, it will result in a high false reject rate (FRR) – where the scan does not recognise the finger it should. Too insensitive and the result is a high false accept rate (FAR) – where the scan accepts an unauthorised finger. The crossover error rate is where FRR = FAR.

It appears that Apple have opted for low sensitivity judging by the ease with which the scanner can be fooled. This does make sense on a smartphone as the inconvenience of false rejects outweigh the risks exposed by false acceptance.

Fingerprint access control was introduced in some laptops several years ago, however most customers chose to bypass it. The new iPhone is the most user-friendly implementation of the technology on such a ubiquitous device. As an access control for smartphones, it is marvellously convenient. There are privacy threats however, for example, if Apple decide to secretly attach fingerprint data to every photo you take. Also, will the fingerprint data be secretly shared with the NSA or any other governmental body, as has other Apple consumer data? How long will it take before malware steals the fingerprint data?

One of two things will happen – either the iPhone will herald widespread use of this form of access control, or it will be the death knell of biometrics as an access control in situations where the individual is not monitored. Time will tell, but I suspect that this technology will be given the thumbs up.

Leave a Reply

%d bloggers like this: