The good and bad of biometrics
IS YOUR MOBILE’S FACIAL RECOGNITION REALLY DOING THE JOB?
WE TRUST SO much information to our mobiles that the compromise of one can be truly devastating. And for most of us, all that’s protecting that information is a single lock screen.
In Apple devices and more recent Androids, that does actually provide some protection. The unlock passcodes can’t be brute-forced because the phone will lock up after a number of failed attempts (see ‘Unlocking the phone’ opposite), while the storage of the device is encrypted so that the OS can’t be bypassed. But many recent devices also have an additional unlock method: biometrics, such as fingerprint scanners and face recognition.
Just how secure is that biometric lock? This month, we’re going to take a look.
Many current mobile phones allow you to unlock the phone with your fingerprint. A small scanner on the phone takes a image of your fingerprint and compares it to the scan of your fingerprint it has on record.
Fingerprint readers are, in fact, relatively secure. Apple, for example, says that there is only a one in 50,000 chance of a false-positive, and you only get five attempts to use it before the phone will ask for your passcode instead.
But they’re not foolproof. It is possible to make moulds and 3D print fake fingerprints that will fool the scanner, so if someone with the know-how got hold of your fingerprint they could make unlocking tool.
Researchers at New York University and Michigan State University have also recently developed a kind of master fingerprint that they claim will work as much as 65% of the time. Since a mobile phone fingerprint scanner only takes a partial print, they created a fingerprint that matches the characteristics of a large proportion of the population. This master print has, as far as we know, not made it into the wild, however.
FACE AND IRIS RECOGNITION
In last year’s iPhone X, Apple abandoned fingerprint recognition altogether, replacing it with what it calls ‘Face ID’. Facial recognition has been present in Android since version 4.0, which came out way back in 2012. The security of facial identification systems is trickier than you might think, however. Recent versions of facial identification tech are relatively secure. Older versions, though, are barely better than no security at all.
If we look back to older versions of Android, for example, all the system does is use the front camera to take a photo of your face. It then runs the photo through facial recognition software and compares it to a stored photo to see if they match.
The problem with this system is that it can be fooled by holding up a photo of the owner in front of the camera. The software isn’t smart enough to distinguish between a real person and a photo of that person. That’s not the kind of security you can bank on.
However, the iPhone X and recent Samsung Galaxy smartphones (among others) have developed better ways of doing facial recognition, and Kaspersky has even rated Apple’s system better than fingerprint scanners.
On the iPhone X, the phone includes an infrared camera, dot projector and flood illuminator in addition to the traditional camera. This lets the phone create a 3D map of your face — when you set it up, you find that you have to rotate your head so that it can map it all around. That 3D map is much harder to spoof than a flat photo — if someone can make a mask that so accurately mirrors your face in 3D, they almost deserve access to your phone!
On recent Galaxy smartphones, Samsung has added an iris scanner. This scanner is present on the Galaxy S8, Note 8 and subsequent phones. It was also in the older Galaxy Note 7, though it used a less secure technology.
Your irises have patterns of colours that are even more unique than your fingerprints. On the Samsung phones, a special nearinfrared diode illuminates the iris, highlighting colours that would not normally be seen under regular light. The camera
then takes a photo and compares it to a locally stored image of the iris.
The benefit of this method is that one cannot use a regular photo to fool the scanner, since a regular photo would not pick up the colours illuminated by the diode. It has been shown possible to fool the scanner using high-resolution photos of the eye taken on night mode with certain cameras (which use infrared for illumination), but those are much more difficult to acquire than just a face photo. So this way is better than older Androids’ face recognition, but far from 100% secure.
On Android, it’s up to the device manufacturer to decide how many attempts you get, too. Some follow Apple’s model, others simply put ever-increasing timeouts after each failed attempt. Some (like Samsung) combine the two — you get timeouts after five failed attempts, but if you keep trying, it will eventually lock you out completely. Depending on the phone model, you may also get a last-ditch chance to unlock the Android using your Google Account.
If it does get locked, unless you’ve installed an app that lets you remotely reset the passcode (such as Google Mobile Management), you’ll likely have to do a factory reset and then restore the phone from a backup. Typically, you’ll turn off the phone, then hold the volume down and power button simultaneously. That will take you to the recovery screen, where you can perform a factory reset. If you’ve registered the phone with Google, you should then be able to restore it from a backup.
We should make a special note about a recent change to iOS devices here. There are specific hardware devices such as the GrayKey ( commonly used by law enforcement, that can be plugged into the Thunderbolt port of an iPhone that will hack the passcode. In order to prevent these devices from working, Apple recently added the option USB Restricted Mode to iOS. When activated (it can be found in the security settings), this switches off the Thunderbolt port if the phone has been inactive for one hour. This means that a hacker has just one hour to crack the phone before the port becomes unusable — although security researchers have found that connecting any device to the port within
that hour timeframe resets the timer.
Apple claims that there is only a one-in-50,000 chance of fooling its fingerprint scanner.
Face recognition debuted on the Android-based Galaxy Nexus in 2012.
Apple’s new Face ID, found in the iPhone X, takes a 3D scan of your face.
Samsung’s iris scanner illuminates the eye with a special light.