Biometrics in Mobile Devices











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download
.

Biometrics in Mobile Devices

by Faulkner Staff

Docid: 00021079

Publication Date: 2201

Report Type: Tutorial

Preview

As cell phones began to contain more and more of their users’ personal
information and sensitive data, it quickly became clear that a way to secure
these devices from prying eyes was needed. As with most technological security
measures, early efforts were based on a combination of PIN numbers and
passwords. However, due to the increasingly frequent need to access a mobile
device multiple times in a given day, many users soon wished for a less laborious method of
unlocking their device. This is when biometric security entered the
mobile world. Not only did the application of biometrics promise a quicker,
easier method of opening a locked device, but it also presented a way to secure
a device that would require its user to be physically present, something PINs and passwords could not match. The early entrants into
this new security category relied almost entirely on fingerprint recognition.
However, the technology of mobile device biometrics has since evolved, becoming
faster and more accurate while also diversifying to include other user
recognition methods such as voice, iris scanning, and facial recognition. This
report takes a look at the currently available biometric technologies for mobile
devices, compares the strength of their security to one another, and pits them
against more traditional security methods like PINs and passwords.

Report Contents:

History

[return to top of this report]

While many people would think that the introduction of biometric security
into mobile devices began with one of the current leaders of the smartphone
market like Apple or Samsung, it was actually in 2007 when the
first devices featuring a fingerprint reader came on the market.1
Dubbed the Portege G900 and G500, these two "smart phones" were produced by
Toshiba with built-in fingerprint readers, making it impossible to access the
unit’s Windows Mobile 6.0 operating system without the owner’s permission.
Whether due to the relative obscurity of the handsets or
simply the appetites of the market at the time, fingerprint readers in mobile
devices did not catch on immediately. However, as with so
many product categories and features, fingerprint detection in a smartphone
would go on to flourish tremendously once it was given the Apple seal of
approval via its inclusion in an iPhone.

Launched in June 2007, right around the time the G900 and G500 were being
revealed, the iPhone would go on to revolutionize the mobile phone world and effectively create the modern smartphone category. Yet, despite the availability of biometric technology for mobile devices, it was not until 2013
that Apple would incorporate it into their devices. This happened shortly after
it acquired a company called AuthenTec in 2012. That firm specialized
in fingerprint identification hardware and identity management software.2
When news of the acquisition broke, speculation immediately began that Apple would be incorporating the acquired technology into a future iPhone.
The very next year the company did just that, launching the iPhone 5S with its
first TouchID fingerprint sensor.3 Unlike the somewhat clunky and
obvious fingerprint sensor from the Toshiba phones, the TouchID
sensor in the 5S was incorporated right into the device’s home button, allowing
users to unlock their handset by placing their thumb or any other finger on the
unit’s most frequently used hardware button. The introduction was almost
universally praised, despite some users claiming that the time it took for the
sensor to recognize their fingerprint was actually longer than it took them to
input a PIN. Following the iPhone 5S, Apple incorporated a TouchID sensor of
some kind into every model of iPhone until the iPhone 8. The success of the
biometric technology was encouraging enough that the company expanded the feature to its iPad line with 2015’s iPad Air 2 and finally its MacBook
line in its later generations of MacBook Pro.

Apple’s near-exclusivity in having a fingerprint sensor in its primary
smartphone line was not long lived. This "innovation" was soon matched by
Samsung with the introduction of a fingerprint sensor embedded in the home
button of the Galaxy S5,4 opening the floodgates to
fingerprint-enabled smartphones from the likes of LG, Motorola, HTC. Over the
next few years, nearly
ever major manufacturer added sensors to their devices. Today, it is unusual to find a smartphone without a built-in
fingerprint reader, unless that technology has been replaced by a
newer, more advanced biometric option.

Once fingerprint recognition became commonplace, smartphone makers began
exploring other biometric security options. These included methods that have
largely fallen by the wayside, like voice recognition, in addition to more
successful attempts that have the potential to usurp the fingerprint as
the security measure of choice in smartphones and tablets. The most well-known
and widely applied of these newer technologies relies on recognizing some aspect
of the user’s face. Whether this is scanning their irises, first introduced on
Samsung’s Galaxy S8 and S8+, or capturing the user’s whole face in some way, like
the Samsung Galaxy S line, iPhone models since the release of the X/XR/XS lineup, or recent iPad
Pro models, the user’s face is scanned to unlock the device. Since the
user is almost certainly looking directly at the device they are attempting to
unlock, the security method makes sense; it uses information that is readily
available to the handset without any special hand or body positioning. However,
serious questions about the security and safety of such unlocking methods have
plagued face-based biometrics. These will be covered in more detail below, as
will each method of biometric security that can currently be found in mobile
devices.

Currently Available Biometrics in Mobile Devices

[return to top of this report]

This section will examine the currently available types of biometric security
that can be found in mobile devices. It will focus on the nature of each
technology, how secure that technology has turned out to be, and which
manufacturers have offered them.

Figure 1. An Exploded View of Apple’s TouchID Fingerprint Scanner

Figure 1. An Exploded View of Apple's TouchID Fingerprint Scanner

Source: Apple

Fingerprint Scanning

Fingerprint scanning is still the most widely available biometric
technology being incorporated into mobile devices, despite the availability of alternative measures. There are numerous reasons for
this. First, a person’s fingers are already in contact with their mobile device
during most of its usage time, making it convenient to simply position one of
those digits over a scanner to unlock it. Additionally, the unlock
process can be handled quickly, without even looking at the device. This means
that it
can often be ready to use by the time the owner lays eyes on it.

Although fingerprint scanners in mobile devices
are certainly convenient, the question remains of just how secure they are. To answer
that, it is first important to understand how they function. Fingerprint scanners use one of several technologies (optical sensors,
capacitive scanners, or ultrasonic scanners) to detect the unique patterns
present in the fingerprints of each human being.5 These unique
patterns are then compared against a stored "image" of authorized users’
fingerprints. While this image may be as simple as a digital photo of the user’s
fingerprint, in scanners employing optical sensors, it is more
often a non-visual map of the unique layout of the user’s fingerprints. If that
map is found to match the one currently in contact with the device’s
scanner, the unit is unlocked. If not, it remains locked and inaccessible
to any would-be hacker.

As a security measure, fingerprint scanners are among the best available.
That said, no method on this list has been shown to be 100 percent unbeatable.
But how difficult is it to circumvent
these security methods and gain access to a private device? In the case of
fingerprint scanners, that depends largely on the type of scanner standing in a
hacker’s way. The oldest of the three scanning technologies mentioned above,
optical sensors, is also the weakest by most accounts because they
employ a sensor that detects the light levels within the image of a person’s
fingerprint to discern its exact patterns. It is actually
possible to fool less secure optical scanners with something as simple as a
black-and-white image of the authorized user’s fingerprint.6 Given the
availability of high-resolution images, it could even be
possible to pull a photo off the Web, capture the owner’s fingerprint, do some
slight editing, and have a tool to gain access to that person’s device. Because
of this weakness, optical scanners have largely been replaced by capacitive
devices. However, even these are not entirely foolproof.

In capacitive scanners, a small electrical charge passes through the
user’s finger and is then picked up by an array of microscopic sensors
within the scanner.7 This bounce-back shows variances in the current
based on the presence of a ridge or valley within the user’s
fingerprint. The result is a map of the user’s skin that can be compared to the
fingerprint on file. While this may seem more difficult to circumvent than a
simple optical scan, it has very nearly identical weaknesses
as an optical sensor thanks to the creation of conductive ink. This ink, typically used in the
printing of paper-thin circuits for electronics, has been shown to
fool capacitive fingerprint scanners by mirroring the conductivity of human
flesh.8 While the materials necessary to pull off this hack may be
rarer than those needed to break into an optical sensor, they are far from
unobtainable and can be readily acquired by malicious parties with sufficient
motivation.

In addition, companies have developed various technologies to further
detect fraudulent attempts to replicate a user’s fingerprint. These tend to
focus on some variation of identifying living flesh as it is being pressed to the
sensor – typically via thermal, electrical, or optical detection. Unfortunately,
even these additional security measures have been thwarted by clever individuals
using gelatin or rubber molds of the authorized user’s fingerprint placed over
their own digits.9 The result is a phony finger with all of the
physical characteristics of the real thing, at least as far as the fingerprint
scanner is concerned.

All of these methods of circumventing a device’s security may give the impression that
fingerprint scanners are essentially useless. However,
that is very far from the truth. When noting the flaws
in the application of fingerprint scanning as the biometric security measure of
choice, the difficulty involved in obtaining the necessary data and materials
needed to pull off any of the aforementioned hacks must be taken into account. If a
malicious party chose to attempt a hack into the smartphone of a world leader
or famous celebrity, the necessary motivation to apply all of the needed
technology and skills might exist. However, the average person is very, very
unlikely to elicit the type of interest that would be required to pull off a
hack of this nature. As with most security measures, fingerprint scanners are
more of a deterrent than an impenetrable wall. For most, this combination of convenience and "good-enough" security is a winning combo.
Because of this, nearly every major mobile device maker in the world has
incorporated fingerprint scanning into their units.

Figure 2. Samsung’s Iris Scanning Technology in Use

Figure 2. Samsung's Iris Scanning Technology in Use

Source: Samsung

Iris Scanning

Iris scanning works in a similar way to the optical method of
fingerprint scanning. Optical sensors capture an
image of the eye, which is then compared to stored images of the
eyes of authorized users. Due to the unique anatomy of each
human eye, the possibility of any two users being mistaken for the same
individual by a sensor of this type is miniscule. Unlike the
relatively weak security measure provided by optical fingerprint scanning
technology, iris scanning promises a more robust obstacle to would-be
hackers thanks to a much larger number of data points that
determine whether the scanned iris belongs to an authorized user.10
Tests have shown that a database of over two million different individuals
resulted in
no cross-matching errors, meaning that none of the two million people would be
able to access the biometrically secured device of any other if iris scanning is
employed.11

That said, iris scanning, like fingerprint scanning, has been found to be
susceptible to clever hackers equipped with just a few readily available tools.
The most famous hack of this type was perpetrated by the German
white hat hacking group Chaos Computer Club (CCC). These security researchers
were able to fool an iris scanner installed in Samsung’s Galaxy S8 smartphone
by printing out a very high resolution image of an authorized user on a laser
printer.12 The image, which was taken using an infrared camera, was
then overlaid with a contact lens to mimic the curvature of an actual human eye,
and was held up to the device’s front-facing camera to be scanned. The result
was an unlocked device. While the tools employed here are entirely run-of-the-mill,
the image that would be required to pull off such a hack might still be
difficult to obtain. The CCC claimed that the image required was taken with a
very high-resolution camera from less than 5 meters (about 16 feet) away in order to capture the
necessary level of detail in the user’s eye. This
puts most images found on the public Web out of the running as a possible source
of a hack-worth image. However, due to the prevalence of
high-resolution images of most celebrities and public figures, it is not outside
of the realm of possibility that a readily-available photo of a high-profile
target exists that could be used to circumvent an iris scanner guarding
one of their devices.

Making matters worse is the fact that, like a user’s fingerprints, a
person’s irises will never change. This is useful for long-term security as that
person, regardless of their own memory or recall, will continue to be able to
access secured technology. However, it is much less useful for that individual
once their biometric data has been cracked. Essentially, once a hacker has
obtained a workable copy of the user’s iris or fingerprint, the genie is out of
the bottle and can’t be put back in. In addition, any future device that is secured using that data will be vulnerable to the same hack. The result is a
system that is relatively useless once it has been bypassed.
Thankfully, the difficulty in bypassing either of these biometric systems to
begin with is not very likely. Once again, iris scanning, like
fingerprint scanning, is meant to be a deterrent, not an absolute obstacle. It
simply sets the difficulty level of circumventing it at such a high level that
it simply is not worth it for most hackers and thieves to attempt on any but the
most high profile targets.

Figure 3. The Original Galaxy Nexus Face Scanning Interface

Figure 3. The Original Galaxy Nexus Face Scanning Interface

Source: MIT Technology Review

Face Scanning

Face scanning is nothing new. In fact, it’s been available to Android devices
since 2011, having been introduced with the Galaxy Nexus smartphone.13
On a basic level, the original form of this technology functioned by capturing
an image of the user’s face, and comparing it to a stored photo of the
authorized user’s face. However, the actual process of comparison is much more
complicated. Since machines cannot perceive resemblance in the organic way that
humans can, various metrics must be compared in order to determine if the two
photos are actually the same person. These metrics include the
spacing and distribution of facial features, the shape of the user’s face, the
color of their skin, and other easily detectable aspects of their appearance.
Unfortunately, the technology got off to a rough start when an early
demonstration of the Galaxy Nexus failed to unlock for its authorized user while
doing an on-stage demonstration.14 Despite this, several companies
soldiered on with the technology, incorporating it into their devices right up
to today.

One of the biggest proponents of face scanning biometrics has been Samsung.
The company’s Galaxy S and Galaxy Note lines have incorporated face scanning as
a method of unlocking their devices for many years. However, even Samsung itself
is forced to admit that this method is not nearly as
secure as a PIN/password or either of the aforementioned biometric
methods. This is because the method relies entirely on optical data, meaning is
it one of the easiest to fool with an image of the user. Additionally, it is
the most prone to failure due to minor changes in appearance. While
a person’s fingerprint and iris will in all likelihood remain unchanged throughout their lives,
the appearance of their face can change on an almost daily
basis. Something as simple as the application of makeup or wearing eyeglasses can render traditional face-scanning technology useless. Why, then,
was this ever considered a viable option for unlock a mobile device? The answer
is quite simple: speed. Face unlock technology reached almost instant levels of
unlocking years before fingerprint or iris
scanners. To this day, it remains one of the fastest options but is still not
recommended or anyone with security concerns. Within a single article,
The Verge called it both "less secure than any other method" of locking
a smartphone and the "least reliable way to unlock" the device being tested,
hardly a vote of confidence in the technology.15

Figure 4. A Promotional Image of Apple’s FaceID Scanning its User

Figure 4. A Promotional Image of Apple's FaceID Scanning its User

Source: Apple

As it so often does, Apple took the relatively unreliable
technology of face scanning in smartphones and applied its own unique brand of
software and hardware development to revolutionize this field of
biometrics for mobile device users around the world. The result was the
creation of FaceID, a new type of face scanning technology that debuted with the
Apple iPhone X in 2017. FaceID functions by projecting 30,000 invisible dots of infrared
light onto the user’s face to create a three-dimensional map of her or his facial structure.16 Unlike traditional face
scanning tech, FaceID does not rely solely on a 2D image of the user, nor does
it rely exclusively on visible light. These differences remove
many of the weaknesses of traditional face scanning, such as being thwarted by simple images or changing light levels. It also makes it
possible for FaceID to be more reliable due to the fact that it
produces essentially all of the light needed in order to scan the user’s face,
allowing it to function in almost total darkness.

The technology behind Apple’s FaceID is not particularly new. In fact, the
point cloud produced by the device has been employed in devices as high profile
as Microsoft’s Kinect motion controller. However, this was the first time such
technology had been applied to facial recognition for biometric security. Apple
claims that FaceID is able to identify individuals to a standard of one in one
million, far more accurate than the one in 50,000 it claims for TouchID, but not
quite as impenetrable as the one in two million claimed by iris scanning technology.17

Further bolstering the effectiveness of FaceID are ancillary features such
as machine learning and attention awareness. The first of these allows the
device to withstand changes to the user’s appearance within certain constraints.
According to Apple, putting on glasses, wearing makeup, or growing a beard
should not interfere with the correct operation of FaceID. Meanwhile, attention
awareness requires the user to be looking directly at the device’s screen before
it will unlock. This prevents both erroneous unlocks and the possibility a thief
quickly aiming a stolen device at a user’s face to unlock it.

Unfortunately, like every security method on this list, FaceID appears to
have ways in which it can be circumvented. The simplest, and perhaps most predictable,
is using an individual who very closely resembles the authorized user. While
this is an almost impossible task when attempting to find a doppelganger among
the general public, it becomes much easier when the perpetrator is a
member of the user’s immediate family or has access to a member of that family.
While this would be especially problematic for identical twins, multiple reports have
indicated that a 10-year old boy was able to unlock his mother’s
smartphone due to their strong resemblance.18 Although most users are
likely far less worried about an immediate family gaining unauthorized access
to their smartphone than they are of strangers intruding on their
privacy, this potential flaw still presents a serious concern. After all, many
parents lock their devices in order to prevent their children from making
unauthorized purchases or gaining access to personal or sensitive imagery. If
the family resemblance can completely disable FaceID as a protection for a device, then it won’t be much use in a wide variety of
cases. Thankfully, this seems to have been a relatively isolated incident, with
little in the way of corroborating anecdotes emerging since its
occurrence.

What may be a more pressing concern for high-profile users of the iPhone is the possibility that a hacker will go through the trouble of
duplicating their face in order to access a stolen device. While this is, by
far, the most complex of the methods of circumventing biometric security mentioned in this report, it is, nonetheless, still possible with adequate
resources and motivation. The way to do it was best demonstrated by a Vietnamese
security firm named Bkav. The company managed to fool the iPhone X’s FaceID
technology by creating a highly accurate 3D print of an authorized user’s face.
This was then overlaid with a 2D printout of the user’s eyes as they appear in
the infrared spectrum.19 The resulting mask was able to unlock the
device even with the aforementioned attention awareness feature enabled.
Thankfully, the possibility of this hack being accomplished by anything short of
a special forces strike team or shadowy government agency are nil. Not only
would it require the hacker to somehow obtain a very high-resolution infrared
image of the user’s eyes, but it would also require access to an extremely high
resolution 3D scan of the user as well as a 3D printer capable of replicating
their visage. Scans of this type take an extremely long time to produce and
require the absolute cooperation of the party being scanned, who will need to
remain still within a very obvious scanning array. It is unlikely that anyone
short of a world leader or high-ranking intelligence official need ever concern
themselves with being targeted by a hack of this type.

Biometric Options vs PIN/Password

[return to top of this report]

How do biometric security measures compare overall to the oldest method of securing a mobile device: a PIN or password? The
best way to do this is by comparing the strengths and weaknesses of the
biometric methods with their older, text-based counterparts. This comparison can
be found below.

PIN/Password Security

Strengths

  • Customizability – PINs and passwords can be customized to be as secure
    as the user needs or as insecure as they can stand, since the
    length, complexity, and diversity of the characters required by the mobile
    device’s operating system can be changed. Someone with relatively little
    concern for the contents of their device could choose a four digit PIN as their
    sole protection method. While this could theoretically be guessed in a
    maximum 9,999 tries, making it relatively weak, it still provides more than
    enough protection for the average private user. Meanwhile, a high-ranking
    executive with corporate data on their device could instead opt for an
    alpha-numeric password including upper and lower-case letters, numbers,
    special symbols, and more. The complexity of such passwords quickly goes
    beyond the range of what it is possible to crack with manual brute force in
    anything short of tens of thousands of years.
  • Changeability – One of the best ways to ensure that a device
    remains secure is the option to change the access method on a regular basis.
    This is a simple and easy task when using a PIN or password, with
    essentially all modern mobile operating systems making it possible to alter
    their access codes with just a few taps.
  • Ease of Setup – Where it may take several minutes of moving ones finger,
    eyes, or face over a given sensor to set up a biometric solution, PINs and
    passwords can typically be set up within seconds by simply inputting the
    desired passcode. This is especially important for business environments,
    where IT departments are frequently required to set up hundreds or even
    thousands of devices for individual users one at a time. The simpler the
    setup process, the less likely the end user will need significant support
    during the task.
  • Post-Mortem Accessibility – While it may be a grim thought, it is nonetheless worth considering what will happen to one’s mobile device after they
    have died. This includes government officials in
    hostile areas, as well as any individual that carries a device storing
    sensitive data that is restricted by some governmental compliance standard,
    such as HIPAA. Where a biometric security method may be thwarted if the
    hacker has access to the deceased’s remains, a PIN or password will, in a
    very real way, be taken to the grave with the user. Conversely, if a user
    wishes a certain individual to have access to their device after they have
    passed away, he or she can share a PIN or password with them in order to
    ensure that access. Biometric methods, on the other hand, may or
    may not be accessible after the user’s death, depending on if a PIN/password
    can be substituted to unlock the device.

Weaknesses

  • Visual Acquisition – This is simply a fancy way of saying someone can
    literally just look over your shoulder while you’re typing in your passcode
    to steal it. The fact that most mobile devices are frequently used in public
    makes this a real concern. A thief aiming to steal a user’s device can
    simply hang around their intended victim for a while, hoping that he or she
    unlocks their device in a visible location where their PIN or password can
    be seen. Shorter PINs are especially prone to this, with it typically being
    easy to see which numbers are being entered. Once the passcode has been
    obtained, the thief can then snatch the device and enter it themselves,
    gaining full access to the smartphone or tablet and completely
    circumventing any additional security measures. It would be nearly impossible for a thief or hacker
    to similarly snatch a device and later access it using the owner’s biometric
    data.
  • Forgetfulness – This is an issue with PINs and passwords that has
    existed far longer than mobile devices themselves. Simply put, human beings
    can be forgetful. This is becoming more and more of an issue as people are
    expected to remember an increasingly large number of passwords for their
    various accounts and devices. Unfortunately, this makes it very easy to
    become locked out of a mobile device, even for the
    legitimate owner. While most mobile operating systems feature some way to
    wipe the device and replace all data with a backup, this raises the
    potential for data loss, interruptions to communications, and other major
    inconveniences. Biometric security methods, on the other hand, rely on the
    user’s physical form to access the device, meaning the access method will
    always be available to them no matter how absent-minded they become.
  • Data Breaches – PINs and passwords that are stored on cloud-based
    servers are, like any data of this nature, prone to data breaches. Should a
    company’s servers become compromised, the passcodes can be obtained for the
    device of any impacted user. While it is technically possible for biometric
    data that is stored within a cloud-based ecosystem to be similarly
    compromised, that data would be almost useless to hackers as there is almost
    no way for them to actually apply it to the task of compromising an affected
    user’s device. While a breached passcode can simply be
    typed into the device it is registered on, a set of biometric data must be
    applied to the same device in the physical form which it corresponds to.
    Yes, it is possible for biometric data to be inserted on a deep level within
    the software itself, potentially providing access to a locked device, but that level of sophistication in software manipulation is beyond
    even the national intelligence community in most cases.

Biometric Security

Strengths

  • Set It and Forget It – Biometric security’s primary draw is the fact
    that it does not require any thought on the user’s part. This removes the
    need for both coming up with a hard-to-guess password (covered in more
    detail below), and the need to remember that password or PIN once it has
    been set. Realistically, PINs and passwords have almost certainly done far
    more to keep users out of their own devices than they have to keep out
    malicious third parties. While some form of security is a necessary evil for
    most, the biometric variety provides users with a way of knowing they will
    always have access to their device with no thought involved.
  • "Unguessable" – No matter how clever or complex a password or PIN number
    is, there’s always at least a microscopic chance that it can be guessed by
    an unauthorized third party. This is often much easier than most people
    believe due to human predictability. Familiar dates and names, favorite
    sports teams, and commonly used words all provide clues to a hacker that can
    be utilized in cracking a passcode. While users are continually admonished
    to avoid these easily predicted password components, they, none the less,
    continue to use them, as evidenced by the various yearly reports on the most
    commonly seen passwords turning up in that year’s batch of data breaches.
    Biometric security, however, cannot be guessed at. No matter how clever the
    hacker, they cannot just brute force their way to a fingerprint or iris
    strata.
  • Nearly un-breachable – Building on the weakness of PIN/password security
    mentioned above, this refers to the fact that stolen biometric data is
    essentially useless to the thief. This is because, even if a perfect digital
    image of a user’s fingerprint, iris, or face is obtained, it must still be
    presented to the device in question in the form of whatever body part it was
    captured from. Without an actual thumb to use that thumbprint, it won’t do a
    hacker any good. It must be said that this report does include several
    exceptions to this point. However, all of those scenarios require a complex
    set of actions taken by a skilled forger to occur before they can result in
    an unlocked device. Conversely, a stolen PIN or password need only be typed
    in once to nullify all security measures entirely.
  • Speed – Thanks to advancements in scanning technology, biometric
    unlocking of mobile devices is now almost universally faster than all
    PIN/password options. Most fingerprint readers are able to unlock a device
    in less than half a second, while iris-based and face scanning options come
    in with similar timeframes. The number of times per day the average user
    checks their phone continues to grow. Because of this, it is more important
    than ever that any security measure he or she uses to lock their device does
    not impede that instant access each time the device is removed from a pocket
    or bag.

Weaknesses

  • Once It’s Cracked, It’s Cracked Forever – Several times this report has
    mention just how difficult it is to produce a physical replica of a person’s
    fingerprint, eye, or face. However, it is not impossible. This means that,
    should anyone ever put in the time and resources it takes to create such a
    duplicate, the victim of this duplication would essentially lose the ability
    to use that form of biometric security for the rest of their lives. For
    example, a famous celebrity is captured giving a thumbs-up in an extremely
    high-resolution photo. A determined hacker then takes the photo, edits it,
    and prints it out using the conductive ink method mentioned above. That
    hacker would then have a perfect copy, at least as far as modern fingerprint
    sensors are concerned, of that celebrity’s thumb. This means that any future
    secured device or service for which that celebrity uses their thumbprint can
    also be accessed by that hacker or anyone he or she chooses to share the
    thumbprint with. While this scenario is, admittedly, a bit far-fetched, it
    shows the fact that once a person’s biometric data is well and truly stolen,
    it can never truly be used securely again. Whereas a PIN or password can be
    changed on a monthly basis, fingerprints, faces, and eyes cannot.
  • Susceptibility to Environmental Conditions – Short of having one’s hands
    full or being tied up, there are no likely scenarios in which it becomes
    impossible for a user to enter a PIN or password to access their device.
    However, there are several scenarios in which the environment around the
    person makes it impossible or extremely difficult to access a device
    equipped with biometric security. The most common of these is the plight of
    users that lock their devices using their fingerprints and then need to
    unlock them in cold weather. If that user is wearing gloves, as they likely
    are, then they will have to be removed in order to unlock their handset.
    Similar, a user of face unlock will have difficulty unlocking their phone or
    tablet if they are in complete darkness, or even just the wrong kind of
    light, depending on the device. While Apple has managed to avoid this
    weakness somewhat with its FaceID sensors, even they can be effected by
    bright reflections from glasses or shadows being cast on the user’s face.
  • Remote Access – While a password or PIN can be shared by simply texting
    or calling anyone with access to a mobile device that needs unlocking, the
    same cannot be said for biometric security. For example, if a person leaves
    his or her phone at home, but needs something they have stored on it, they
    can call home to a relative, give them their password, and have them unlock
    the device. If, however, that device is secured by biometric security, they
    cannot send their fingerprint to that same relative so easily. It must be
    said that any device which also offers a secondary unlock method in the form
    of a PIN or password can still be unlocked via this method. However, for
    those offering solely biometric means, it can be a true weakness.
  • Environmental Conditions – This factor has come into play more often
    recently, and can impact both fingerprint and face-scanning technology. It
    refers to any environmental condition that causes obfuscation of the portion
    of the anatomy that is required for a successful unlock. In the case of
    fingerprint scanning, this can occur any time it is cold enough outside that
    the user is wearing gloves. While this is hardly a new reality, it can be
    bothersome nonetheless. A more recent issue has also arisen due to the
    ongoing COVID-19 global pandemic. This is that the face masks, which have
    become prevalent in an effort to reduce viral spread, tend to interfere with nearly all
    face-based unlocking technologies. A study by the US Commerce Department’s National Institute of Standards and
    Technology (NIST) found that masked images raises even the best facial
    recognition systems’ failure rate from an average of 0.3 percent to about 5
    percent, while many otherwise competent algorithms failed between 20 percent
    to 50 percent of the time in identifying masked users.20

Summary

[return to top of this report]

At the end of the day, the choice of which security method to use on one’s
mobile device comes down to a tug-of-war between two factors: convenience and
security. On one end of the spectrum, we have a complete lack of security. This
refers to an entirely unsecured device which can be unlocked by anyone swiping
or tapping the screen. While it is extremely convenient due to the complete lack
of any obstacle keeping the user from his or her mobile device, it is also
entirely insecure, with nothing to prevent literally anyone from enjoying the
same level of access as the primary user. Still, this may be the best scenario
for some. A young child, for instance, doesn’t really have need for personal
privacy on the smartphone their parents have given them in case of emergency.
Whereas quick access to the contents of that phone could be vital to any adult
caretakers in the child’s vicinity. For this user, no security may be the best
option.

On the other end of this spectrum is the user with everything to lose if
their unsecured device were obtained by a malicious third party. For this user,
multiple types of authentication employed at once may be the best option. Some
operating systems support the need to input both a biometric marker and
a PIN/password before they will unlock the device on which they are installed.
While the five or six seconds or so it takes for a device owner to input this data each
and every time they want to use their smartphone may seem like an arduous
obstacle to some, it will seem like a necessary evil to a high-ranking
pharmaceutical exec, or a doctor, either of which could be in deep trouble if
their patients’ sensitive personal info were to be access by unauthorized third
parties.

Hopefully this report has given readers the tools to examine each of the
available security methods, and to choose which is right for them based on their
own needs for security, convenience, and ease-of-use. The right security method
for each user is the one that strikes the ideal balance between all three.
However, it is up to each individuals to decide exactly where that balance point
lies.

[return to top of this report]

References

[return to top of this report]

 

[return to top of this report]