So whoopie-do, the new iPhone has a fingerprint reader to unlock the phone as a market differentiator, and to open new authentication applications and developer opportunities – assuming Apple opens up the appropriate APIs. This is based on the technology Apple bought last year when it acquired AuthenTec which has encryption technology, fingerprint sensors and identity management software.
And already, hackers, taking a clue from 1970s spy movies, managed to fool the reader using the simplest of techniques: they lifted a registered fingerprint from a drinking glass, presented it to the reader, and voila! You’re in! (BTW, whatever happened to the requirement it be a “live” finger?)
I’ve long been skeptical of biometrics because of their False Acquisition and False Rejection Rates (FAR/FRR) but the technology is improving. For example, instead of typing texts or email on my phone, I use voice to text with reasonably accurate results. Usually. Such mobile based systems such as the iPhone’s Siri are cloud enabled, using the heavy-duty computing power of the data center in the sky. PC-based systems such as Dragon voice-to-text have been used for quite a few years, also with mixed results.
It’s an open question if smudgy biometric-enabled iPhones or any abused, challenged fingerprint system is going to do the job expected, 100 percent of the time. Some people don’t have fingerprints that register. We’ve long seen biometric systems installed for data center access control, but they’ve often fallen into disuse. And there are those times when the system just doesn’t work as advertised: at a trade show I offered my hand to a palm print biometric identification system. The system simply refused to recognize me after registration. Not very impressive.
Last year, the president and founder of a multi-factor out-of-band authentication company came to the company where I worked to demonstrate his pride and joy solutions. Most of the product/service he showed uses SMS texting and other messaging to a pre-registered cell phone for out-of-band authentication. That went fine. Then came a test of the voice biometrics option. The CEO first enrolled his voiceprint and then demonstrated how it worked for accessing a bank account. Then he made a mistake: he challenged the other analysts in the briefing to try to break into the bank account using their own voices. I worked in radio and have an ear for regional accents. I asked a colleague from Chicago to try it since the CEO came from the Windy City and had a distinctive accent. First try: failed. Second try: IN! The Chicago-accented analyst fooled the voice biometric!
Now it’s likely that system sensitivity was tuned low to account for noisy environments, poor quality cell phone microphones and other factors but the episode fed my skepticism on biometrics.
There are going to be exceptional cases, but these experiences and observations underscore the need for backup systems on critical, biometric authentication functions. You don’t want to bet on any one system working all of the time. Always include a back-up. And the back-up of choice for all but the most sensitive of access applications turns out to be the good old UserID and a creative password.
Security mechanisms are not foolproof, and that’s why a layered approach, AKA “security in depth” remains necessary defensively as well as in access control.