Forgot your password?
typodupeerror
Cellphones Security Apple Technology

Why Your Next Phone Will Include Biometric Security 110

Posted by Soulskill
from the it'll-draw-blood-and-give-you-an-EKG dept.
An anonymous reader sends this quote from Forbes: "... it is an almost certainty that within the next few years, three biometric options will become standard features in every new phone: a fingerprint scanner built into the screen, facial recognition powered by high-definition cameras, and voice recognition based off a large collection of your vocal samples. ... We store an enormous amount of our most intimate and personal information on cell phones. Businesses today are already struggling with policies regarding bringing devices from home, and it’s only going to get more difficult. A study by Symantec highlighted the depth of the problem – around the world, all different types of companies consider enterprise mobile device security to be one of their largest challenges. ... Ever since Apple purchased Authentec Inc in July of last year, there has been an endless stream of news stories obsessing over whether Apple will include a fingerprint scanner in their next release. In reality, Apple is one among many players, and whether they include a biometric sensor in the 5S or wait till the 6 is largely irrelevant, the entire mobile industry has been headed this way for years now. ... There are separate questions as to whether these technologies are ready for such a wide-scale deployment."
This discussion has been archived. No new comments can be posted.

Why Your Next Phone Will Include Biometric Security

Comments Filter:
  • by Zumbs (1241138) on Saturday March 30, 2013 @09:35AM (#43317815) Homepage
    How can anyone consider fingerprint identification on a touch screen as anything but toy security? You handle your phone pretty much each day, so it is highly unlikely that your fingerprints will not be all over it, in particular on the screen. With just a little bit of technique, every criminal will be able to get a usable finger print and unlock your phone. Mythbusters pretty much proved how easy these things are to bypass.
    • by gl4ss (559668)

      it's just for providing a quick lock so that your bro/sis/mom/dad doesn't mess around with your facebook.

    • " the entire mobile industry has been headed this way for years now"

      Reference please?
    • by Instine (963303)
      With micron resolution 3D printers, I wonder if its practical to take stolen fingerprint data and print yourself a finger.
    • by Jane Q. Public (1010737) on Saturday March 30, 2013 @01:10PM (#43319015)

      "Mythbusters pretty much proved how easy these things are to bypass."

      The problem is that in order to prevent false negatives, the recognition has to be loose enough to allow way too many false positives.

      But -- and here's the big issue, IMHO -- the same is true for facial recognition, and voice recognition.

      So you have 3 "biometric security" options, all of which are ridiculously easy to circumvent.

      Security theater, anybody?

      The really big problem here is that it's a false sense of security. People come to rely on means that aren't secure, they they feel they are secure. This just makes them sitting ducks for malicious people who know what they're doing.

      • by oPless (63249)

        So basically you have three, not-very-good biometric systems but putting them all together magically amplifies security?

        It sounds like a pretty bad film ... Sneakers perhaps?

      • Something you know & something you have, this is the way the professionals do it. For a personal phone, a 4 digit code and a moderate level of fingerprint recognition would likely be more than enough.

        The problem is that proper security is a pain, so most people will look for an easy way around it, a fingerprint scan only is an easy way around the issue. Truth be told, this is likely enough for most people, as long as the level of security is understood.

        That being said, there really is no patch for human

    • The idea is that all those fingerprints all get sent your favorite three letter agency to be stored for later use. I hope nobody thinks this is for our security.

    • by idji (984038)
      if the hires camera is watching for the blood pulsing through the veins and fulling the warmth that is a different story.
      • The problem with the camera this is that it needs light. If the light from the devices insufficient, then the user is not able to use it in low light situations or darkness. If the biometric information is ever lost or stolen, it cannot be changed like a password. The user is then really stuck up a creek without a paddle.

  • by Mitreya (579078) <mitreya@gmHORSEail.com minus herbivore> on Saturday March 30, 2013 @09:38AM (#43317827)

    a fingerprint scanner built into the screen, facial recognition powered by high-definition cameras, and voice recognition

    Oooh, and if you cut your finger/forget to shave or lose your voice temporarily -- who needs to use their phone every day?

    • Oh shit, I cut my hand off at work, better call 911... o wait.
    • by Barny (103770)

      Well, having used the built in 'droid security support for the fingerprint reader on my atrix, all I need to do is enter a pin number (that can be user set) to access it anyway.

    • by idji (984038)
      then you tap the login button and type in your password. Some problems are really simple to solve
    • by AmiMoJo (196126) *

      IT departments everywhere will need to stock up on bolt cutters and alcohol swabs for when they need to "revoke" compromise credentials.

  • it is an almost certainty that within the next few years, three biometric options will become standard features in every new phone

    Yeah? Who says?

    • You said it, they may as well be using taint configuration because they can stick their biometrics up their bottoms. Guess who will be the proud owners of a database of the fingerprints of most of the adult population in many countries if this is pushed ahead? The US government. I'm sure they are absolutely delighted with the surplus of freely given information already supplied by facebook and twitter, getting everyone's mugshot and prints is the final finishing touch.

      "It's a brave new world, or at least it

      • by sgt scrub (869860)

        People exist electronically. Law enforcement moved on to DNA in the 90's. If you get arrested they take a DNA sample as well as prints for your physical identity. Having a guarantee you are the one using your phone ties you to anything that is associated with your phone. The more phones are being used for banking to purchasing goods, the more having it tied to you as an individual the better it will be for law enforcers. They can then easily identify a person physically and electronically.

    • by acedotcom (998378)
      android phones already do facial recognition, and i have seen phones with finger print readers. really this is kind of non-news.
  • by HalAtWork (926717) on Saturday March 30, 2013 @09:43AM (#43317847)
    Now identity theft will become so much easier, trojans will be able to steal all that information too and spoofing access will be that much simpler.
  • The perfect spy. The NSA, CIA, FBI, IRS, Google, MasterCard etc love it.
    • Yeap, what government would not love this, no messy interigation, the device is with the key, the user, just twist their arms a little or give them a drink of water. Bang, access and no messy warrents or waiting.

  • by Anonymous Coward

    The original Atrix has a fingerprint scanner. And Motorola abandoned it.

    • Re:Motorola Atrix (Score:4, Informative)

      by Jay Carlson (28733) on Saturday March 30, 2013 @12:38PM (#43318807)

      Apple buying the vendor for the fingerprint stack might have something to do with Motorola dropping the ATRIX 4G fingerprint sensor.

      The ATRIX 4G was supposed to get an ICS upgrade. There was a "leak" of a partially functional version. My guess is that the licensing issues with Authentec/Apple broke down. Guess Motorola didn't negotiate any long-term contract options.

      It's a shame about how AT&T handled pricing on the LXDE subsystem. The X server implemented on the NVidia framebuffer/compositing layer was pretty nice. In theory Android 4.2.2 should support non-mirrored HDMI better, so hopefully I can get a Linux desktop bigger than 1280x720 on this Galaxy S3.

  • My next phone is just six months away.

  • Isn't this more of a problem of enforcing device security policies? If the data is encrypted, does it really matter if the device is locked by PIN, pattern, fingerprint, facial recognition, or some other mechanism?
    • Your suggestion is really odd, how do you think that free app is supposed to read information that is encrypted by some other app or even by you, especially without you noticing it?

      Gee, some people...

    • My phone isn't locked at akk, nectar of convenience. A FAST fingerprint reader is better them a password just because it would be more convenient, so I might use it. Which also refutes "fingerprint readers can be hacked". Yeah, so can PINs, much more easily, and I can pick any common lock within a minute, but they are still useful.
  • by gweihir (88907) on Saturday March 30, 2013 @10:09AM (#43317957)

    What all the proponents conveniently gloss over is that biometrics has not solved one fundamental problem: How to change the "password" once it gets stolen. And it will get stolen. Storing hashes does not help at all, as an attacker can just get new samples with ease. They just need to hack the sensors. Other ways exist. And once the biometric print has been compromised, there is nothing that realistically can be done.

    This fundamental limitation is the cause that not real security expert takes biometrics seriously in unsupervised scenarios. There are enough wannabe security experts around that will gladly take a lot of money for biometrics that will not work.

    • by teidou (651247) <tait AT fitis DOT com> on Saturday March 30, 2013 @10:24AM (#43318009) Homepage
      Yep, that's a serious issue.

      There is a difference between identity and authentication, and that difference is lost when one uses biometric identity measures for authentication.

      Great writeup on this from 2006 over at MSDN [microsoft.com]

      Short version: identify and authentication must remain distinct if you want to have a system where users are held responsible for their actions.
      • by Namarrgon (105036)

        Obligatory analogy: the difference between a contract with your signature on it, and a contract with your DNA on it.

        Biometrics are not authentication in themselves, but can still be useful as the identity component of two- or three-factor authentication.

    • That's less a factor than the fact that biometry may be much but it's not secret. Unless you're wearing gloves constantly (and, let's be honest, who does aside of some comic supervillains?) you leave fingerprints all over the place, all the time. The biometry print IS compromised, because it never was secret in the first place.

      It's great for establishing identity. There's nothing more you than you yourself. But it would be great to mix something secret into the fold. Unless you can at least ensure that nobo

    • by swillden (191260)

      What all the proponents conveniently gloss over is that biometrics has not solved one fundamental problem: How to change the "password" once it gets stolen.

      Biometrics are not passwords. They have some similarities, but also some important differences. Equating the two will just result in misunderstanding both -- as in this case; thinking that biometrics must be changeable like passwords to be useful.

      The intent of a biometric isn't to provide a replaceable, short-lived secret authenticator, it's to provide a public (though not necessarily widely-distributed) authenticator permanently bound to an individual. When designing a biometric security solution you sho

    • In addition to the stolen "password problem" there's this: Sometimes the actual biometric information differences are quite subtle, so that common digital encodings that are practical will generate the same code for two individuals. That means with millions of individuals, there is an increasing chance that a fingerprint encoder or other biometric device will generate the same code for two or more individuals., Common practical face recognition systems often have problems differentiating identical twins.

  • I think my employer already demands too many agents scanners, tools, audits, logs and processes. Just encrypt the phone and even go so far that after the nth failed login it performs a factory reset.But enough of this "Let's add just 3 or 4 MORE steps to logging into your device" nonsense.

  • How do I get a new thumbprint exactly? When Mythbusters can clone my print with a gummibear or scotch tape, and my phone gets hacked, how do I get a new one?

  • Given that much of the rise in crime [tuaw.com] in New York last year was due to people having the iOS devices stolen, how long will it be before muggings at knife-point typically also involve the thief stealing the owner's index finger too?

    • by teidou (651247)
      The MSDN article I cited above mentions "Police in Malaysia are hunting for the members of a violent gang who chopped off a car owner’s finger to get round the vehicle’s hi-tech security system"...
  • by Anonymous Coward

    I had a win 6 phone with a fingerprint scanner years ago from HTC. My current phone (nexus 4) uses the front camera to recognize my face. Are we talking about new to IOS phones?

    • by Tapewolf (1639955)

      I had a win 6 phone with a fingerprint scanner years ago from HTC. My current phone (nexus 4) uses the front camera to recognize my face. Are we talking about new to IOS phones?

      They were all the rage ten years ago. HP's PocketPC 3 devices had them. I think they may even have still been Compaq at the time. Using the screen is new, but now I think about it, the scanning devices were probably the same kind of capacitive matrix we're using now.

      What most of these systems did was they hashed the fingerprint anyway, since they were IIRC vectorised, measuring the size and shape of the print. If the new devices do that too, it's less of a security problem, but if there's userspace acce

  • ...we get a security system with proven flaws and workarounds, and the vendor gets even more of our private information. Bonus.

  • Ask any owner of an Atrix 4g (the original). Too bad Motorola left us hanging with gingerbread.
  • It will force the masses to buy a new phone because advertising will make the people believe that you must have it. Whether this is because of security or because it is the latest gimmick is irrelevant.

    Your 4 digit code is enough security. If people steal your phone, they want to sell it. They are not interested in your data. If people are after the data on your phone, then biometric security will not stop them.

    If your data is something they might be after, then you should also think if having it on a phone

  • "You mean all my biometric data stored on a Google/Apple device? Where do I sign up?? I hope that in the future it's uploaded to the cloud - it would be so cool to have it integrated into every facet of my life" - Timfoil Hatticus

    Let's not forget that a SHA512 salted 8 digit mnemonic encoded password is far harder to crack than obtaining one's fingerprint on a touch-screen.
  • When my current phone dies, I'm buying another dumb phone. I do NOT need a "smart" phone to track me and let others track me, I'll stick with a dumb phone that makes phone calls.

    • When my current phone dies, I'm buying another dumb phone. I do NOT need a "smart" phone to track me and let others track me, I'll stick with a dumb phone that makes phone calls.

      You are pretty naive to think a dumb phone doesn't allow people to track you. Why would you think that? It has been a required feature in cell phones in the US for years...

  • by Anonymous Coward

    My voice is my passport. Verify me. Please?

  • Biometric devices are very good at providing a user name. I would never us them for anything else.

  • Bio-metrics are static passwords with very painful revocation, that one typically leaks all over the place.

    Unless I wear gloves all the time to hide my fingerprints, wear a mask to hide my face, stop talking to hide my voice, etc., it is nearly impossible to hide my bio-metrics. And once captured electronically as data, they can be copied indefinitely, and cannot be revoked without a lot of pain and suffering.

    Right now, criminals typically ignore capturing the bio-metrics of victims, since they are barely

  • Android phones have come with biometric authentication and have since October, 2011... http://www.android.com/about/ice-cream-sandwich/ [android.com]
  • Just what we need. Another dopey mechanism to interfere with the user experience. I'm already saddled with a dipshit policy pushed down from the corporate Exchange server that forces a password and timed lockups. The policy setting idiots will take something like this and further hobble my phone. Maybe even prevent me from say, handing my phone to a somebody even temporarily. "Here, take my phone. It's Bob. He wants to say 'hi'". The unauthorized biosignature detector fires off and disables my phone until I
  • When a Forbes column includes "...it is almost a certainty that" X, I think it is safe to assume that X is almost certain to not happen.

Prototype designs always work. -- Don Vonada

Working...