Why Your Next Phone Will Include Biometric Security

An anonymous reader sends this quote from Forbes: "... it is an almost certainty that within the next few years, three biometric options will become standard features in every new phone: a fingerprint scanner built into the screen, facial recognition powered by high-definition cameras, and voice recognition based off a large collection of your vocal samples. ... We store an enormous amount of our most intimate and personal information on cell phones. Businesses today are already struggling with policies regarding bringing devices from home, and it’s only going to get more difficult. A study by Symantec highlighted the depth of the problem – around the world, all different types of companies consider enterprise mobile device security to be one of their largest challenges. ... Ever since Apple purchased Authentec Inc in July of last year, there has been an endless stream of news stories obsessing over whether Apple will include a fingerprint scanner in their next release. In reality, Apple is one among many players, and whether they include a biometric sensor in the 5S or wait till the 6 is largely irrelevant, the entire mobile industry has been headed this way for years now. ... There are separate questions as to whether these technologies are ready for such a wide-scale deployment."

Fingerprints? On a touch screen?

[Zumbs]

How can anyone consider fingerprint identification on a touch screen as anything but toy security? You handle your phone pretty much each day, so it is highly unlikely that your fingerprints will not be all over it, in particular on the screen. With just a little bit of technique, every criminal will be able to get a usable finger print and unlock your phone. Mythbusters pretty much proved how easy these things are to bypass.

Re:

[Zumbs]

In order to do that, they would have to order gun shops to get finger prints from buyers. And if they already are, getting finger prints from phones do not make any difference. You are right in considering that there are serious privacy implications if a government can and do use this to build a national finger print register, i.e. if the fingerprints are collected in central registers, that can be accessed by police or private investigators.

An Argent Sheathing?

[rmdingler]

If I had to bet the light bill money one way or the other, my tens of dollars bet on Gov't using the the fingerprint information if they have the ability. I consider it a good sign that all American fingerprints, and DNA for that matter, are not in a database accessible to government/law enforcement entities. Despite all the "compelling" buzzphrases used by officials (children, terrorists, drugs, safety), some evidence still suggests we are a republic.

Re: Fingerprints? On a touch screen?

[freezin fat guy]

Except that there aren't.

Re:

[Dan667]

My take is that people that want to sell the chips and software for biometrics are pushing this.

Re:

[Lennie]

Like the Chaos Computer Club.

Re:

[gl4ss]

it's just for providing a quick lock so that your bro/sis/mom/dad doesn't mess around with your facebook.

Re:

[cristiroma]

I'd say that rather provides answers to fake problems [technologyreview.com].

Re:

[Zumbs]

Good point. People living in close proximity to you may manage to figure out your pin code, but they would need to do some extra work to fool the biometrics, which would discourage a lot of nosy people from reading or modifying your personal data.

Re:

[homey of my owney]

" the entire mobile industry has been headed this way for years now"

Reference please?

Re:

[Teun]

Is it comfy under your rock?

Re:

[Instine]

With micron resolution 3D printers, I wonder if its practical to take stolen fingerprint data and print yourself a finger.

Re:

[Jane Q. Public]

In most cases, you don't have to. Just use a photocopier or make a mold and fill it with gelatin.

Re:Fingerprints? On a touch screen?

[Jane Q. Public]

"Mythbusters pretty much proved how easy these things are to bypass."

The problem is that in order to prevent false negatives, the recognition has to be loose enough to allow way too many false positives.

But -- and here's the big issue, IMHO -- the same is true for facial recognition, and voice recognition.

So you have 3 "biometric security" options, all of which are ridiculously easy to circumvent.

Security theater, anybody?

The really big problem here is that it's a false sense of security. People come to rely on means that aren't secure, they they feel they are secure. This just makes them sitting ducks for malicious people who know what they're doing.

Re:

[oPless]

So basically you have three, not-very-good biometric systems but putting them all together magically amplifies security?

It sounds like a pretty bad film ... Sneakers perhaps?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[fustakrakich]

The idea is that all those fingerprints all get sent your favorite three letter agency to be stored for later use. I hope nobody thinks this is for our security.

Re:

[idji]

if the hires camera is watching for the blood pulsing through the veins and fulling the warmth that is a different story.

Re:

[grantspassalan]

The problem with the camera this is that it needs light. If the light from the devices insufficient, then the user is not able to use it in low light situations or darkness. If the biometric information is ever lost or stolen, it cannot be changed like a password. The user is then really stuck up a creek without a paddle.

Re:

[Barny]

Indeed, I have mine right here and the button to bring it out of sleep is the fingerprint reader. Very nifty and no more smudge-pattern on a screen from the 'security swipe', which anyone can guess in about three tries by following that smudge-pattern.

Re:

[Austerity Empowers]

My phone has had facial recognition for a real long time now. Then my son realized he can open the phone by pointing it at my face while I sleep, or a picture of me in the living room, and he can get in. So now I disabled it, because he was really the one I was trying to keep out...

Ripe for problems

[Mitreya]

a fingerprint scanner built into the screen, facial recognition powered by high-definition cameras, and voice recognition

Oooh, and if you cut your finger/forget to shave or lose your voice temporarily -- who needs to use their phone every day?

Re:

[master_kaos]

Oh shit, I cut my hand off at work, better call 911... o wait.

Re:

[Opportunist]

Yeah, I mean, what do you want to dial with?

Re:

[BasilBrush]

I'd use my Dictaphone.

Re:

[johnw]

Then it's not properly designed, the whole point of locking the phone is so that you don't butt dial 911.

Quite the contrary - in many regions it's been a requirement of mobile phones that you can still dial whatever the local emergency code is (911, 999, etc.) or an international emergency code (112) without unlocking the phone.

Just try it now on your phone if it has physical buttons. Not sure how this works with touch screens though.

Re:

[Barny]

Well, having used the built in 'droid security support for the fingerprint reader on my atrix, all I need to do is enter a pin number (that can be user set) to access it anyway.

Re:

[idji]

then you tap the login button and type in your password. Some problems are really simple to solve

Re:

[AmiMoJo]

IT departments everywhere will need to stock up on bolt cutters and alcohol swabs for when they need to "revoke" compromise credentials.

Orly?

[wonkey_monkey]

it is an almost certainty that within the next few years, three biometric options will become standard features in every new phone

Yeah? Who says?

Re:

[Intrepid imaginaut]

You said it, they may as well be using taint configuration because they can stick their biometrics up their bottoms. Guess who will be the proud owners of a database of the fingerprints of most of the adult population in many countries if this is pushed ahead? The US government. I'm sure they are absolutely delighted with the surplus of freely given information already supplied by facebook and twitter, getting everyone's mugshot and prints is the final finishing touch.

"It's a brave new world, or at least it

Re:

[sgt scrub]

People exist electronically. Law enforcement moved on to DNA in the 90's. If you get arrested they take a DNA sample as well as prints for your physical identity. Having a guarantee you are the one using your phone ties you to anything that is associated with your phone. The more phones are being used for banking to purchasing goods, the more having it tied to you as an individual the better it will be for law enforcers. They can then easily identify a person physically and electronically.

Re:

[acedotcom]

android phones already do facial recognition, and i have seen phones with finger print readers. really this is kind of non-news.

Great

[HalAtWork]

Now identity theft will become so much easier, trojans will be able to steal all that information too and spoofing access will be that much simpler.

Re:

[Knuckles]

Get real.

I intended to write a lengthy post about how random people are not the number one threat I perceive when using may smartphone. But the AC said it with 5 words.

pwned

[harvey the nerd]

The perfect spy. The NSA, CIA, FBI, IRS, Google, MasterCard etc love it.

Re:

[sensationull]

Yeap, what government would not love this, no messy interigation, the device is with the key, the user, just twist their arms a little or give them a drink of water. Bang, access and no messy warrents or waiting.

Motorola Atrix

[Anonymous Coward]

The original Atrix has a fingerprint scanner. And Motorola abandoned it.

Re:Motorola Atrix

[Jay Carlson]

Apple buying the vendor for the fingerprint stack might have something to do with Motorola dropping the ATRIX 4G fingerprint sensor.

The ATRIX 4G was supposed to get an ICS upgrade. There was a "leak" of a partially functional version. My guess is that the licensing issues with Authentec/Apple broke down. Guess Motorola didn't negotiate any long-term contract options.

It's a shame about how AT&T handled pricing on the LXDE subsystem. The X server implemented on the NVidia framebuffer/compositing layer was pretty nice. In theory Android 4.2.2 should support non-mirrored HDMI better, so hopefully I can get a Linux desktop bigger than 1280x720 on this Galaxy S3.

It better get here quick...

[Syphonius]

My next phone is just six months away.

slide to unlock is the problem

[chowdahhead]

Isn't this more of a problem of enforcing device security policies? If the data is encrypted, does it really matter if the device is locked by PIN, pattern, fingerprint, facial recognition, or some other mechanism?

Re:

[Opportunist]

Your suggestion is really odd, how do you think that free app is supposed to read information that is encrypted by some other app or even by you, especially without you noticing it?

Gee, some people...

Fingerprints are more convenient than good passwor

[raymorris]

My phone isn't locked at akk, nectar of convenience. A FAST fingerprint reader is better them a password just because it would be more convenient, so I might use it. Which also refutes "fingerprint readers can be hacked". Yeah, so can PINs, much more easily, and I can pick any common lock within a minute, but they are still useful.

Biometrics is a dead-end

[gweihir]

What all the proponents conveniently gloss over is that biometrics has not solved one fundamental problem: How to change the "password" once it gets stolen. And it will get stolen. Storing hashes does not help at all, as an attacker can just get new samples with ease. They just need to hack the sensors. Other ways exist. And once the biometric print has been compromised, there is nothing that realistically can be done.

This fundamental limitation is the cause that not real security expert takes biometrics seriously in unsupervised scenarios. There are enough wannabe security experts around that will gladly take a lot of money for biometrics that will not work.

Re:Biometrics is a dead-end

[teidou]

Yep, that's a serious issue.

There is a difference between identity and authentication, and that difference is lost when one uses biometric identity measures for authentication.

Great writeup on this from 2006 over at MSDN [microsoft.com]

Short version: identify and authentication must remain distinct if you want to have a system where users are held responsible for their actions.

Re:

[Namarrgon]

Obligatory analogy: the difference between a contract with your signature on it, and a contract with your DNA on it.

Biometrics are not authentication in themselves, but can still be useful as the identity component of two- or three-factor authentication.

Re:

[Opportunist]

That's less a factor than the fact that biometry may be much but it's not secret. Unless you're wearing gloves constantly (and, let's be honest, who does aside of some comic supervillains?) you leave fingerprints all over the place, all the time. The biometry print IS compromised, because it never was secret in the first place.

It's great for establishing identity. There's nothing more you than you yourself. But it would be great to mix something secret into the fold. Unless you can at least ensure that nobo

Re:

[gweihir]

I do very well understand that. The problem is that malware capturing fingerprints, voice-prints and faces is easy and has just not been so far because there is no point. So, no, I am not talking about targeted attacks at all, but automatized, wide-deployed ones.

Re:

[swillden]

What all the proponents conveniently gloss over is that biometrics has not solved one fundamental problem: How to change the "password" once it gets stolen.

Biometrics are not passwords. They have some similarities, but also some important differences. Equating the two will just result in misunderstanding both -- as in this case; thinking that biometrics must be changeable like passwords to be useful.

The intent of a biometric isn't to provide a replaceable, short-lived secret authenticator, it's to provide a public (though not necessarily widely-distributed) authenticator permanently bound to an individual. When designing a biometric security solution you sho

Re:

[grantspassalan]

In addition to the stolen "password problem" there's this: Sometimes the actual biometric information differences are quite subtle, so that common digital encodings that are practical will generate the same code for two individuals. That means with millions of individuals, there is an increasing chance that a fingerprint encoder or other biometric device will generate the same code for two or more individuals., Common practical face recognition systems often have problems differentiating identical twins.

How about just having whole disk encryption?

[gelfling]

I think my employer already demands too many agents scanners, tools, audits, logs and processes. Just encrypt the phone and even go so far that after the nth failed login it performs a factory reset.But enough of this "Let's add just 3 or 4 MORE steps to logging into your device" nonsense.

Re:

[scdeimos]

iThingies have had hardware encryption for years. That's why a device erase is so quick - it only needs to erase the master key and everything else is toast. http://support.apple.com/kb/ht4175 [apple.com] and http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf [apple.com] (page 7 onwards)

Re:

[GigaBurglar]

Believe it or not the majority of smart-phone users have absolutely no idea of the correlation between password length and a secure hash.

Great until you need to revoke it

[Gothmolly]

How do I get a new thumbprint exactly? When Mythbusters can clone my print with a gummibear or scotch tape, and my phone gets hacked, how do I get a new one?

Re:

[Opportunist]

How much for your hand or for head?

Fingers are removable

[nickovs]

Given that much of the rise in crime [tuaw.com] in New York last year was due to people having the iOS devices stolen, how long will it be before muggings at knife-point typically also involve the thief stealing the owner's index finger too?

Re:

[teidou]

The MSDN article I cited above mentions "Police in Malaysia are hunting for the members of a violent gang who chopped off a car owner’s finger to get round the vehicle’s hi-tech security system"...

Re:

[Zumbs]

Just like you can change a pin code, can't you just change the unlocking fingerprint as well? If not, reselling would be pretty difficult ...

Already done.

[Anonymous Coward]

I had a win 6 phone with a fingerprint scanner years ago from HTC. My current phone (nexus 4) uses the front camera to recognize my face. Are we talking about new to IOS phones?

Re:

[Tapewolf]

I had a win 6 phone with a fingerprint scanner years ago from HTC. My current phone (nexus 4) uses the front camera to recognize my face. Are we talking about new to IOS phones?

They were all the rage ten years ago. HP's PocketPC 3 devices had them. I think they may even have still been Compaq at the time. Using the screen is new, but now I think about it, the scanning devices were probably the same kind of capacitive matrix we're using now.

What most of these systems did was they hashed the fingerprint anyway, since they were IIRC vectorised, measuring the size and shape of the print. If the new devices do that too, it's less of a security problem, but if there's userspace acce

And so...

[roc97007]

...we get a security system with proven flaws and workarounds, and the vendor gets even more of our private information. Bonus.

fingerprint sensor on a phone is great

[Vormhat]

Ask any owner of an Atrix 4g (the original). Too bad Motorola left us hanging with gingerbread.

Re:

[account_deleted]

Comment removed based on user account deletion

Good security or

[GigaBurglar]

"You mean all my biometric data stored on a Google/Apple device? Where do I sign up?? I hope that in the future it's uploaded to the cloud - it would be so cool to have it integrated into every facet of my life" - Timfoil Hatticus

Let's not forget that a SHA512 salted 8 digit mnemonic encoded password is far harder to crack than obtaining one's fingerprint on a touch-screen.

My next phone will not.

[Nyder]

When my current phone dies, I'm buying another dumb phone. I do NOT need a "smart" phone to track me and let others track me, I'll stick with a dumb phone that makes phone calls.

Re:

[miroku000]

When my current phone dies, I'm buying another dumb phone. I do NOT need a "smart" phone to track me and let others track me, I'll stick with a dumb phone that makes phone calls.

You are pretty naive to think a dumb phone doesn't allow people to track you. Why would you think that? It has been a required feature in cell phones in the US for years...

Sneakers

[Anonymous Coward]

My voice is my passport. Verify me. Please?

Can I change how it is used?

[sgt scrub]

Biometric devices are very good at providing a user name. I would never us them for anything else.

Bio-metrics are static passwords

[ad454]

Bio-metrics are static passwords with very painful revocation, that one typically leaks all over the place.

Unless I wear gloves all the time to hide my fingerprints, wear a mask to hide my face, stop talking to hide my voice, etc., it is nearly impossible to hide my bio-metrics. And once captured electronically as data, they can be copied indefinitely, and cannot be revoked without a lot of pain and suffering.

Right now, criminals typically ignore capturing the bio-metrics of victims, since they are barely

We already have biometric authentication

[miroku000]

Android phones have come with biometric authentication and have since October, 2011... http://www.android.com/about/ice-cream-sandwich/ [android.com]

More features to make a phone unusable

[Lime Green Bowler]

Just what we need. Another dopey mechanism to interfere with the user experience. I'm already saddled with a dipshit policy pushed down from the corporate Exchange server that forces a password and timed lockups. The policy setting idiots will take something like this and further hobble my phone. Maybe even prevent me from say, handing my phone to a somebody even temporarily. "Here, take my phone. It's Bob. He wants to say 'hi'". The unauthorized biosignature detector fires off and disables my phone until I

Consider the Source

[dwightk]

When a Forbes column includes "...it is almost a certainty that" X, I think it is safe to assume that X is almost certain to not happen.