Fingers handy but not foolproof
It sounds like a great idea: Forget passwords, and instead lock your phone or computer with your fingerprint.
It’s a convenient form of security – though it’s also perhaps not as safe as you’d think.
In their rush to do away with problematic passwords, Apple, Microsoft and other tech companies are nudging consumers to use their own fingerprints, faces and eyes as digital keys.
Smartphones and other devices increasingly feature scanners that can verify your identity via these ‘‘biometric’' signatures in order to unlock a gadget, sign into web accounts and authorise electronic payments.
But there are drawbacks: Hackers could still steal your fingerprint – or its digital representation. Police may have broader legal powers to make you unlock your phone. And so-called ‘‘biometric’' systems are so convenient they could lull users into a false sense of security.
‘‘We may expect too much from biometrics. No security systems are perfect,’' said Anil Jain, a computer science professor at Michigan State University who helped police unlock a smartphone by using a digitally enhanced ink copy of the owner’s fingerprints.
Biometric security seems like a natural solution to well-known problems with passwords.
Far too many people choose weak and easily-guessed passwords like ‘‘123456’' or ‘‘password’’.
Many others reuse a single password across online accounts, all of which could be hacked if the password is compromised. And of course some use no password at all when they can get away with it, as many phones allow.
As electronic sensors and microprocessors have grown cheaper and more powerful, gadget makers have started adding biometric sensors to familiar products.
All those systems are based on the notion that each user’s fingerprint – or face, or iris – is unique. But that doesn’t mean they can’t be reproduced.
Jain, the Michigan State researcher, proved that earlier this year when a local police department asked for help unlocking a fingerprint-protected Samsung phone.
The phone’s owner was dead, but police had the owner’s fingerprints on file. Jain and two associates made a digital copy of the prints, enhanced them and then printed them out with special ink that mimics the conductive properties of human skin.
Researchers at the University of North Carolina, meanwhile, fooled some commercial facedetection systems by using photos they found on the social media accounts of test subjects.
But some experts believe any biometric system can be cracked with sufficient determination. All it takes are simulated images of a person’s fingerprint, face or even iris pattern. And if someone manages that, you can’t exactly change your fingerprint or facial features as you would a stolen password.
To make such theft more difficult, biometric-equipped phones and computers typically encrypt fingerprints and similar data and store them locally, not in the ‘‘cloud’' where hackers might lift them from company servers. But many biometrics can be found elsewhere.
You might easily leave your fingerprint on a drinking glass, for instance. Or it might be stored in a different database.
Most crooks won’t go to that much trouble. But some experts have voiced a different concern – that biometrics could undermine important legal rights.
US courts have ruled that authorities can’t legally require individuals to give up their passwords, but in the last two years, however, judges in Virginia and Texas have ordered individuals to unlock their phones with their fingerprints.
There’s a legal distinction between something you know, like a password, and something you possess, like a physical key or a fingerprint, said Marcia Hofmann, a lawyer who specialises in privacy and computer security. While you can’t be forced to reveal the combination of a safe, she noted, you can be required to turn over a physical key to unlock a door. The issue hasn’t been tested yet in higher courts, though it’s likely just a matter of time. – AP