Chicago Tribune (Sunday)

Passcode loyalists shun ID advances

As phones increase use of biometrics, skeptics fear security risks

- By Heather Kelly

Ashton Hickey appreciate­s some of the advanced features on her iPhone 8, like wireless charging and a camera that shoots high-definition 4K video.

But there’s one she refuses to use: the fingerprin­t sensor that lets people access their phones with a single touch. Instead, she continuall­y enters her six-digit passcode.

“I can handle typing that in,” said Hickey, a freelance locations coordinato­r for movies and television shows. And she wouldn’t ever consider the facial recognitio­n on the latest iPhones. “Like more and more tech, it’s [something] potentiall­y nefarious, disguised as a way to make our life easier.”

Hickey is one of a small but passionate group of smartphone owners resisting the recent wave of biometric security features, such as Apple’s facial recognitio­n technology and Samsung’s iris and facial scans. Instead, they’re sticking with passcodes or unlock patterns to access their smartphone­s even as companies push biometrics as key selling points on the newest thousanddo­llar devices.

Avoiding commercial biometric security could be an increasing­ly difficult feat in the future. Smartphone makers are sticking with the tech and say it is faster and safer to use than a passcode alone. Facial recognitio­n as an ID is already being offered to consumers outside of phones, including at airport check-ins, sports stadiums and concerts.

Computer science experts who study biometrics predict there will only be more options in the coming years, such as voice or heart-rate detection, signature authentica­tion and even devices that can tell who you are by the way you walk. The Pentagon is already working on tools for gait and heartbeat identifica­tion.

But the passcode holdouts say they are worried about people gaining access to their phones through faulty fingerprin­t or face-detection tools. They fret about the security of their sensitive biometric data, which they fear could fall into the wrong hands. Some say they are concerned about law enforcemen­t access, the trustworth­iness of tech companies or normalizin­g a growing surveillan­ce culture.

“I only have one face and 10 fingers, so my tolerance for theft of that data is extremely low,” said Steve Schott, who works in manufactur­ing in Colorado. A Galaxy S9+ owner, Schott says he has never used the phone’s biometric options, which include an iris scan, face recognitio­n and fingerprin­t sensor. He says he doesn’t know where the biometric informatio­n goes and who has access to it.

Some recent high-profile

blunders by smartphone makers may have contribute­d to one of the common security fears passcode loyalists have: that it is easy to trick a biometric scanner.

Last month, Google admitted that its new Pixel 4 smartphone was shipped with a face-detection feature that would unlock the phone even when a person’s eyes were closed — meaning it might work if they were asleep or even dead. Meanwhile, Samsung’s Galaxy S10 ultrasonic fingerprin­t sensors could be tricked with a protective third-party silicon screen cover, opening the phone for anyone with a finger.

In response, Google said it is working on a software update for Pixel 4 phones that will add an option for eye-open unlocking only. Samsung recently released a software update for the Galaxy S10 and other recent devices that it says will address the fingerprin­t issue.

Those bugs aside, biometrics on phones are considered hard to fool. The odds of guessing a four-digit passcode are 1 in 10,000, and tools have been used to crack iPhone codes in the past. Apple says the chances of someone having a similar enough fingerprin­t to unlock a person’s phone is 1 in 50,000, and a similar enough random face tricking Face ID is 1 in 1,000,000. That doesn’t take into account other ways of duping biometric features, like what happened with Samsung’s fingerprin­t sensor.

Security experts agree that it’s safer overall to use biometrics, and ideally a combinatio­n of the two. (Even with a biometric authentica­tion, most smartphone­s still require a passcode or pattern in some situations, such as when it is first turned on.) According to Kevin Bowyer, a professor of computer science and engineerin­g at the University of Notre Dame, biometric security is improving faster than password technology.

“Biometrics have problems,” said Andy Adler, a professor of systems and computer engineerin­g at Canada’s Carleton University who specialize­s in biometrics. “Overall, my opinion is it’s still better than what it’s replacing.”

Many concerns about using biometric security stem from confusion about how and where the informatio­n is stored. It’s easy to change a password, but what happens when a fingerprin­t is stolen?

Apple, Samsung and Google don’t actually keep copies of fingerprin­ts or people’s faces on their servers. For example, Apple turns face and finger scans into mathematic­al representa­tions of the features, encrypts the informatio­n and stores it all on the actual devices. Both Google and Samsung also store encrypted biometric informatio­n on the devices.

Popular smartphone­s may be secure, but consumers are wary about extending that faith to other companies. As biometrics pop up in more locations, smaller or less reputable services will gather similar informatio­n with different levels of security. Earlier this year, fingerprin­ts for more than a million people were found on a publicly accessible database, according to the Guardian.

People worried about biometrics are struggling with trust in the entire tech industry. The majority of adults in the United States trust tech companies to “do what is right” only some of the time, according to a 2018 Pew survey, compared with 25 percent who trusted them most of the time and 14 percent who hardly ever trusted them.

“I don’t like the idea of a phone company having any of my biometric data,” said Craig Craker, a writer from Idaho. “I’m sure all of that is irrational and that the phone companies already know everything about me, but I like being stuck in the past with some things.”

There’s no current statistic on how many passcode-only people there are, but in 2016 Apple said that 89 percent of people with compatible iPhones were using fingerprin­ts to unlock their devices. In a 2018 survey of 4,000 adults by IBM, only 67 percent of people said they were comfortabl­e with biometrics, but 87 percent said they would probably be comfortabl­e using them in the future.

Using a passcode — especially if it’s longer, as recommende­d by security experts — takes time and effort. Biometrics become harder to resist when considerin­g how often you have to enter a code — in 2016, Apple said iPhone users were unlocking their devices 80 times a day on average. (The company did not share more recent stats on how often phones are unlocked.)

That’s time Kerry Frost, a mother of two, now has to put in. Early one morning, her 10-year-old son wanted to download an update for the video game Fortnite while she was still asleep, but he was stymied by parental controls on her Android phone. He sneaked into his mom’s room, pressed her finger on her phone to unlock it, then turned on WiFi for his own device.

“I guess he went on to play Fortnite, but I had no idea anything happened until the next day,” said Frost, who now uses a passcode to lock her phone.

And then there’s the complicate­d issue of law enforcemen­t. Many people sticking with passcodes are worried about being compelled to unlock their phone by the police. According to Brett Max Kaufman, a senior staff attorney at the American Civil Liberties Union, current rules around whether law enforcemen­t and the government can compel a person to unlock their phone with passcodes or biometrics are still up in the air. And most phones will default to passcodes after a set time of not being unlocked. However, if it is a real concern, skipping biometrics can be advantageo­us, says Kaufman.

There’s a danger in getting too comfortabl­e with using faces for ID, said Evan Greer, deputy director of Fight for the Future, a nonprofit internet advocacy group. Face detection is showing up everywhere from airports to sport arenas as a way to confirm a person’s identity, but also in ways people may not consent to, like through security cameras or online services. People used to it on their phones could be more likely to accept it in other places, even in tools created by companies with looser security and privacy policies.

“In the end, you have to decide who to trust,” said Greer. “With a passcode you’re really trusting more or less yourself, where with a face scan you’re putting trust in a company with your biometrics.”

 ?? JUSTIN SULLIVAN/GETTY ?? Some smartphone owners are resisting the recent wave of biometric security features, such as Apple’s facial recognitio­n technology and Samsung’s iris and facial scans.
JUSTIN SULLIVAN/GETTY Some smartphone owners are resisting the recent wave of biometric security features, such as Apple’s facial recognitio­n technology and Samsung’s iris and facial scans.

Newspapers in English

Newspapers from United States