Tuesday, January 24, 2017

Business must change: is Apple moving from AuthenTec to another biometric modality? Maybe, maybe not.

(DISCLOSURE: I am employed in the biometric industry.)

At the time, it seemed like a weird purchase to most people. It was 2012, and Apple paid $356 million for a company called AuthenTec. Most of you had never heard of this company, and were wondering what in the heck Apple was thinking. Yes, AuthenTec manufactured fingerprint readers, but who was going to want a fingerprint reader on a phone? Yes, my former employer Motorola had released a mobile device with a fingerprint reader (the MC-75), but that was targeted for a vertical market. Apple was a consumer company. What were the chances that consumers would actually use a fingerprint reader?

Well...higher than we thought.

[Apple tasked] AuthenTec engineers with rethinking fingerprint scanning on mobile. The results were nothing short of amazing: Apple has managed to take competition by surprise by seamlessly integrating the sophisticated Touch ID sensor into the iconic Home button, a far cry from the unreliable solutions that require you to swipe the sensor.

The benefits went all the way back to my industry, biometrics. As people accepted the idea of using fingerprints on their iPhones, and eventually on other mobile phones, they became more accepting of using all types of biometrics in all types of consumer situations.

But by 2016, there had been more and more stories about how the fingerprint security had been defeated. No system is 100% secure, and even when you start incorporating technologies such as "liveness detection" into fingerprint readers, talented computer scientists can find ways to defeat the security.

Or, in one case, a six year old:

A 6-year-old girl from Arkansas may have just shown how vulnerable the supposedly secure Touch ID system really is after she was able to use her unwitting mother's smartphone to make several purchases online.

Ashlynd Howell from Little Rock surprised her parents when she was able to place $250 worth of purchases on Amazon earlier this month without their knowledge. The shopping spree was only discovered after the Howells received 13 order confirmations for Pokémon items.

At first, Ashlynd's mother Bethany thought her Amazon account had been hacked, leading to the illegal purchases. However, the mother soon found out that her daughter had scanned her fingerprint while the mother was taking a nap to bypass the Touch ID system on her phone.

Liveness detection would do no good here. Mom was obviously alive, and the finger had not been cut away from her body. And I guess all of us in the industry will start subjecting our technology to six year old kid hackers.

But is it necessarily valid to jump to the conclusion that fingerprints are so insecure that they should be scrapped for something else? One TechCrunch writer may be on to that path.

Will the Touch ID security feature of the iPhone be replaced soon?

A well-known analyst and forecaster of Apple's business moves has raised the possibility of Cupertino revamping its existing biometric and security features in 2017 iPhones.

KGI Securities analyst Ming-Chi Kuo says Apple might explore various new technologies such as better sensors and even a facial recognition system that it can incorporate into the latest installations of the iPhone.

The article goes on to cite the Arkansas story as a possible reason for the switch.

Well, if that's the reason, then you'd better sit down - or lie down. Facial recognition won't pass the six year old hacking test unless sleeping mom covers her head so her face can't be seen.

Now perhaps there may be valid reasons for Apple to release a phone without the AuthenTec technology and with a camera-based technology - cost, user acceptance, use cases, and the like. Or alternatively, Apple could implement my personal preference - multimodal biometrics, in which the device is capable of using a variety of biometric authentication methods, either singly or in conjunction. Let's say you wanted to hack Donald Trump's Twitter account, and you had gone through the trouble of duplicating Trump's fingerprints. What if you ALSO had to duplicate his face, his iris features, and his voice to be able to hack into his account? Again, not completely impossible, but much much harder than just hacking based upon a single biometric.

Or a password.
blog comments powered by Disqus