Sign up to our newsletter
The latest security news direct to your inbox
Apple’s fingerprint sensor has drawn a huge amount of attention (and hack attempts) ever since it launched on iPhone 5S – but it seems Android users will get their own fingerprint protection shortly.
A report from USA Today said that a standardized fingerprint security system for Android devices, certified by the FIDO (Fast Identity Online) Alliance, would be available shortly after the new year.
While Apple’s fingerprint sensor has come under fire from security researchers, many of the “hacks” rely on weaknesses in other systems, such as Apple’s Siri voice control – or laborious methods such as “3D printing” latex fingerprints. Neither of these seem likely to see “mass market” use among cybercriminals. The sensor has also reignited the debate about the use of biometrics.
FIDO made no official statement, but posted the news article on its website.
“The intention of FIDO is absolutely that it will allow consumers to have access to mobile services that they can use with very low friction, while keeping good security,” said PayPal’s Chief Information Security Officer Michael Barrett, quoted by PC World. “That’s explicitly what we want to build.”
Leaked photographs of various handsets have hinted that equipment makers such as HTC might follow Apple’s lead and add biometric security to their handsets. PC World warned in its report that Android users may see a “format war” of competing biometric standards.
Fingerprints are just one of the new technologies supported by FIDO, an industry-wide consortium (backed by a variety of companies including heavyweights such as BlackBerry and Google) which aims to replace passwords with a secure, industry-supported protocol which is also easy to use.
“The possibility of someone having the same fingerprint as you is about 1 in 6 million,” says FIDO. “If you choose to use your fingerprint reader as your FIDO token, your finger becomes the master key for your credential vault where all your FIDO tokens are stored. Each website or application that uses a FIDO token never gets to see your fingerprint and, better yet, they cannot obtain access unless you allow it.
“Unlike a PIN or Password, fingerprints cannot be guessed. You must be physically present to unlock your credential vault. Fingerprint readers do not store your fingerprint; they create a template during setup that can later be used to match your finger with a very high degree of accuracy. These templates are stored in a secure storage area on the device and cannot be accessed by any other software.”
“There is a far greater likelihood that someone could guess your PIN than it would be for that person to use another fingerprint on your device to access your information.”
FIDO is investigating technologies such as fingerprint scanners, voice and facial recognition, and existing solutions such as Near Field Communication (NFC) and One Time Passwords (OTP) , with a view to creating an integrated solution.
“Passwords are running out of steam as an authentication solution. They’re starting to impede the development of the internet itself,” PayPal’s Chief Information Security Officer Michael Barrett said at the Interop Las Vegas IT expo earlier this year. “It’s pretty clear that we can’t fix it with a proprietary approach.”
Mr Barrett pointed out the results of passwords being published online after data breaches in recent years – showing that insecure passwords such as “12345” and “password” remain among the most commonly used
“Users will pick poor passwords – and then they’ll reuse them everywhere,” says Barrett. “That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the internet.”
Many companies are offering biometric and two-factor solutions to replace and/or augment current password systems – such as the Bionym bracelet, which uses your unique heartbeat pattern as a password.
Stephen Cobb, Security Researcher with ESET says that we may be on the verge of widespread deployment of biometrics. Cobb says, “Successful implementation of biometrics in a segment leading product could bode well for consumer acceptance.”
“I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words the iPhone 5S could advance biometrics, or put a whole lot of people off biometrics.”
Author Rob Waugh, We Live Security