Pass­code loy­al­ists shun ID ad­vances

As phones in­crease use of bio­met­rics, skep­tics fear se­cu­rity risks

Chicago Tribune (Sunday) - - BUSINESS - By Heather Kelly

Ash­ton Hickey ap­pre­ci­ates some of the ad­vanced fea­tures on her iPhone 8, like wire­less charg­ing and a cam­era that shoots high-def­i­ni­tion 4K video.

But there’s one she re­fuses to use: the fin­ger­print sen­sor that lets peo­ple ac­cess their phones with a sin­gle touch. In­stead, she con­tin­u­ally en­ters her six-digit pass­code.

“I can han­dle typ­ing that in,” said Hickey, a free­lance lo­ca­tions co­or­di­na­tor for movies and tele­vi­sion shows. And she wouldn’t ever con­sider the fa­cial recog­ni­tion on the lat­est iPhones. “Like more and more tech, it’s [some­thing] po­ten­tially ne­far­i­ous, dis­guised as a way to make our life eas­ier.”

Hickey is one of a small but pas­sion­ate group of smart­phone own­ers re­sist­ing the re­cent wave of bio­met­ric se­cu­rity fea­tures, such as Ap­ple’s fa­cial recog­ni­tion tech­nol­ogy and Sam­sung’s iris and fa­cial scans. In­stead, they’re stick­ing with pass­codes or un­lock pat­terns to ac­cess their smart­phones even as com­pa­nies push bio­met­rics as key sell­ing points on the new­est thou­sand­dol­lar de­vices.

Avoid­ing com­mer­cial bio­met­ric se­cu­rity could be an in­creas­ingly dif­fi­cult feat in the fu­ture. Smart­phone mak­ers are stick­ing with the tech and say it is faster and safer to use than a pass­code alone. Fa­cial recog­ni­tion as an ID is al­ready be­ing of­fered to con­sumers out­side of phones, in­clud­ing at air­port check-ins, sports sta­di­ums and con­certs.

Com­puter sci­ence ex­perts who study bio­met­rics pre­dict there will only be more op­tions in the com­ing years, such as voice or heart-rate de­tec­tion, sig­na­ture au­then­ti­ca­tion and even de­vices that can tell who you are by the way you walk. The Pen­tagon is al­ready work­ing on tools for gait and heart­beat iden­ti­fi­ca­tion.

But the pass­code hold­outs say they are wor­ried about peo­ple gain­ing ac­cess to their phones through faulty fin­ger­print or face-de­tec­tion tools. They fret about the se­cu­rity of their sen­si­tive bio­met­ric data, which they fear could fall into the wrong hands. Some say they are con­cerned about law en­force­ment ac­cess, the trust­wor­thi­ness of tech com­pa­nies or nor­mal­iz­ing a grow­ing sur­veil­lance cul­ture.

“I only have one face and 10 fin­gers, so my tol­er­ance for theft of that data is ex­tremely low,” said Steve Schott, who works in man­u­fac­tur­ing in Colorado. A Galaxy S9+ owner, Schott says he has never used the phone’s bio­met­ric op­tions, which in­clude an iris scan, face recog­ni­tion and fin­ger­print sen­sor. He says he doesn’t know where the bio­met­ric in­for­ma­tion goes and who has ac­cess to it.

Some re­cent high-pro­file

blun­ders by smart­phone mak­ers may have con­trib­uted to one of the com­mon se­cu­rity fears pass­code loy­al­ists have: that it is easy to trick a bio­met­ric scan­ner.

Last month, Google ad­mit­ted that its new Pixel 4 smart­phone was shipped with a face-de­tec­tion fea­ture that would un­lock the phone even when a per­son’s eyes were closed — mean­ing it might work if they were asleep or even dead. Mean­while, Sam­sung’s Galaxy S10 ul­tra­sonic fin­ger­print sen­sors could be tricked with a pro­tec­tive third-party sil­i­con screen cover, open­ing the phone for any­one with a fin­ger.

In re­sponse, Google said it is work­ing on a soft­ware up­date for Pixel 4 phones that will add an op­tion for eye-open un­lock­ing only. Sam­sung re­cently re­leased a soft­ware up­date for the Galaxy S10 and other re­cent de­vices that it says will ad­dress the fin­ger­print is­sue.

Those bugs aside, bio­met­rics on phones are con­sid­ered hard to fool. The odds of guess­ing a four-digit pass­code are 1 in 10,000, and tools have been used to crack iPhone codes in the past. Ap­ple says the chances of some­one hav­ing a sim­i­lar enough fin­ger­print to un­lock a per­son’s phone is 1 in 50,000, and a sim­i­lar enough ran­dom face trick­ing Face ID is 1 in 1,000,000. That doesn’t take into ac­count other ways of dup­ing bio­met­ric fea­tures, like what hap­pened with Sam­sung’s fin­ger­print sen­sor.

Se­cu­rity ex­perts agree that it’s safer over­all to use bio­met­rics, and ide­ally a com­bi­na­tion of the two. (Even with a bio­met­ric au­then­ti­ca­tion, most smart­phones still re­quire a pass­code or pat­tern in some sit­u­a­tions, such as when it is first turned on.) Ac­cord­ing to Kevin Bowyer, a pro­fes­sor of com­puter sci­ence and en­gi­neer­ing at the Univer­sity of Notre Dame, bio­met­ric se­cu­rity is im­prov­ing faster than pass­word tech­nol­ogy.

“Bio­met­rics have prob­lems,” said Andy Adler, a pro­fes­sor of sys­tems and com­puter en­gi­neer­ing at Canada’s Car­leton Univer­sity who spe­cial­izes in bio­met­rics. “Over­all, my opin­ion is it’s still bet­ter than what it’s re­plac­ing.”

Many con­cerns about us­ing bio­met­ric se­cu­rity stem from con­fu­sion about how and where the in­for­ma­tion is stored. It’s easy to change a pass­word, but what hap­pens when a fin­ger­print is stolen?

Ap­ple, Sam­sung and Google don’t ac­tu­ally keep copies of fin­ger­prints or peo­ple’s faces on their servers. For ex­am­ple, Ap­ple turns face and fin­ger scans into math­e­mat­i­cal rep­re­sen­ta­tions of the fea­tures, en­crypts the in­for­ma­tion and stores it all on the ac­tual de­vices. Both Google and Sam­sung also store en­crypted bio­met­ric in­for­ma­tion on the de­vices.

Pop­u­lar smart­phones may be se­cure, but con­sumers are wary about extending that faith to other com­pa­nies. As bio­met­rics pop up in more lo­ca­tions, smaller or less rep­utable ser­vices will gather sim­i­lar in­for­ma­tion with dif­fer­ent lev­els of se­cu­rity. Ear­lier this year, fin­ger­prints for more than a mil­lion peo­ple were found on a pub­licly ac­ces­si­ble data­base, ac­cord­ing to the Guardian.

Peo­ple wor­ried about bio­met­rics are strug­gling with trust in the en­tire tech in­dus­try. The ma­jor­ity of adults in the United States trust tech com­pa­nies to “do what is right” only some of the time, ac­cord­ing to a 2018 Pew sur­vey, com­pared with 25 per­cent who trusted them most of the time and 14 per­cent who hardly ever trusted them.

“I don’t like the idea of a phone com­pany hav­ing any of my bio­met­ric data,” said Craig Craker, a writer from Idaho. “I’m sure all of that is ir­ra­tional and that the phone com­pa­nies al­ready know ev­ery­thing about me, but I like be­ing stuck in the past with some things.”

There’s no cur­rent statis­tic on how many pass­code-only peo­ple there are, but in 2016 Ap­ple said that 89 per­cent of peo­ple with com­pat­i­ble iPhones were us­ing fin­ger­prints to un­lock their de­vices. In a 2018 sur­vey of 4,000 adults by IBM, only 67 per­cent of peo­ple said they were com­fort­able with bio­met­rics, but 87 per­cent said they would prob­a­bly be com­fort­able us­ing them in the fu­ture.

Us­ing a pass­code — es­pe­cially if it’s longer, as rec­om­mended by se­cu­rity ex­perts — takes time and ef­fort. Bio­met­rics be­come harder to re­sist when con­sid­er­ing how of­ten you have to en­ter a code — in 2016, Ap­ple said iPhone users were un­lock­ing their de­vices 80 times a day on av­er­age. (The com­pany did not share more re­cent stats on how of­ten phones are un­locked.)

That’s time Kerry Frost, a mother of two, now has to put in. Early one morning, her 10-year-old son wanted to down­load an up­date for the video game Fort­nite while she was still asleep, but he was stymied by parental con­trols on her An­droid phone. He sneaked into his mom’s room, pressed her fin­ger on her phone to un­lock it, then turned on WiFi for his own de­vice.

“I guess he went on to play Fort­nite, but I had no idea any­thing hap­pened un­til the next day,” said Frost, who now uses a pass­code to lock her phone.

And then there’s the com­pli­cated is­sue of law en­force­ment. Many peo­ple stick­ing with pass­codes are wor­ried about be­ing com­pelled to un­lock their phone by the po­lice. Ac­cord­ing to Brett Max Kaufman, a se­nior staff at­tor­ney at the Amer­i­can Civil Lib­er­ties Union, cur­rent rules around whether law en­force­ment and the gov­ern­ment can com­pel a per­son to un­lock their phone with pass­codes or bio­met­rics are still up in the air. And most phones will de­fault to pass­codes after a set time of not be­ing un­locked. How­ever, if it is a real con­cern, skip­ping bio­met­rics can be ad­van­ta­geous, says Kaufman.

There’s a dan­ger in get­ting too com­fort­able with us­ing faces for ID, said Evan Greer, deputy di­rec­tor of Fight for the Fu­ture, a non­profit in­ter­net ad­vo­cacy group. Face de­tec­tion is show­ing up ev­ery­where from air­ports to sport are­nas as a way to con­firm a per­son’s iden­tity, but also in ways peo­ple may not con­sent to, like through se­cu­rity cameras or on­line ser­vices. Peo­ple used to it on their phones could be more likely to ac­cept it in other places, even in tools cre­ated by com­pa­nies with looser se­cu­rity and pri­vacy poli­cies.

“In the end, you have to de­cide who to trust,” said Greer. “With a pass­code you’re re­ally trust­ing more or less your­self, where with a face scan you’re putting trust in a com­pany with your bio­met­rics.”

JUSTIN SUL­LI­VAN/GETTY

Some smart­phone own­ers are re­sist­ing the re­cent wave of bio­met­ric se­cu­rity fea­tures, such as Ap­ple’s fa­cial recog­ni­tion tech­nol­ogy and Sam­sung’s iris and fa­cial scans.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.