Why fingers make handy, if not foolproof, digital keys
SAN FRANCISCO — It sounds like a great idea: Forget passwords, and instead lock your phone or computer with your fingerprint. It’s a convenient form of security — though it’s also perhaps not as safe as you’d think.
In their rush to do away with problematic passwords, Apple, Microsoft and other tech companies are nudging consumers to use their own fingerprints, faces and eyes as digital keys. Smartphones and other devices increasingly feature scanners that can verify your identity via these “biometric” signatures in order to unlock a gadget, sign into web accounts and authorize electronic payments.
But there are drawbacks: Hackers could still steal your fingerprint — or its digital representation. Police may have broader legal powers to make you unlock your phone. And socalled “biometric” systems are so convenient they could lull users into a false sense of security. Bypassing the password
Biometric security seems like a natural solution to wellknown problems with passwords. Far too many people choose weak and easily-guessed passwords like “123456” or “password.” Many others reuse a single password across online accounts, all of which could be hacked if the password is compromised. And of course some use no password at all when they can get away with it, as many phones allow.
As electronic sensors and microprocessors have grown cheaper and more powerful, gadget makers have started adding biometric sensors to familiar products.
Apple’s iPhone 5S, launched in 2013, introduced fingerprint scanners to a mass audience, and rival phone makers quickly followed suit. Microsoft built biometric capabilities into the latest version of its Windows 10 software, so you can unlock your PC by briefly looking at the screen. Samsung is now touting an iris-scanning system in its latest Galaxy Note devices. Lifting prints, faking faces
Jain, the Michigan State researcher, proved that earlier this year when a local police department asked for help unlocking a fingerprint-protected Samsung phone. The phone’s owner was dead, but police had the owner’s fingerprints on file. Jain and two associates made a digital copy of the prints, enhanced them and then printed them out with special ink that mimics the conductive properties of human skin.
“We tried the right thumb and it worked right away,” Jain said.
Researchers at the University of North Carolina, meanwhile, fooled some commercial face-detection systems by using photos they found on the social media accounts of test subjects. They used the photos to create a three-dimensional image, enhanced with virtual reality algorithms. The spoof didn’t work every time, and the researchers found it could be foiled by cameras with infrared sensors. (The Microsoft facerecognition system uses infrared-capable cameras for extra precision.)