Why Biometric Smartphone Security Needs A Relook

by Sohini Bagchi    May 26, 2017


At a time when some security analysts were almost killing passwords, trying to convince that biometric security is the way to go and smartphone makers started to embed biometric sensors on their devices, a group of hackers proved that breaking the iris scanner locking Samsung’s Galaxy S8 is laughably easy. The looming risk for enterprises and consumers in the big bad world, leaves us with the thought, if passwords are terrible, can biometric be any better. It also brings to focus why biometric smartphone security needs a relook.

The gain and the pain

A report by Biometrics Research Group, states that the projects on biometrics will generate about $9 billion equivalent revenue by 2018, but by 2020, the numbers will climb even more exponentially to $45 billion. It also mentions, that the number of biometric users in smartphones, will touch 2 billion by 2020. In such a scenario, biometric smartphones are here to stay - but so are security breaches.

“Biometric identification using unique physical attributes such as fingerprints to authenticate people has been considered secure for a long time. With widespread adoption of biometrics, however, we have seen a huge security slip. The technology’s popularity is actually a major contributing factor to this slide,” Altaf Halde, Managing Director of Kaspersky Lab (South Asia) said, explaining the reasons behind the slip.

“First, security specification standards for consumer goods are lower than they are in mission-critical implementations. Second, a broad field of easily obtainable gadgets gives criminals a huge test bed of consumer devices to experiment with and find more and more vulnerabilities for their own benefit, of course. The rapid development of 3D printing has also contributed to biometrics’ vulnerability,” informs Halde.

For example, in case of Galaxy S8 hack, all that was required was a digital camera, a laser printer and contact lenses. The hack required taking a picture of the subject’s face, printing it on paper, superimposing the contact lenses, and holding the image in front of the locked Galaxy S8.

Even though there are reports of vulnerabilities, some analysts say the convenience of biometrics can be an advantage to smartphones. “With biometrics features such as iris providing a higher level of security, reliability and ease-of-use at lower cost and complexity, more consumer mobile devices are expected to provide this technology as “passwords or PINs” for us to easily access our devices, applications and services,” said  Salil Prabhakar, CEO, Delta ID who believes after all, it’s bringing secure authentication to the masses.

Read more: Is Biometrics The Future For Smartphones?

Halde too agrees that fortunately, biometric data is not stored as is, and hence a server receives only hashed scanning results, making outright theft a less-attractive option. “However, the key concern is, when biometric security is compromised, the damage is long-lasting. You can change your password after a data breach, but you can’t change your fingerprint.” 

Paul Ducklin, Senior Technologist, Sophos believes that no security practice is full proof and that applies to biometrics as well. “The real problem with biometrics comes when we are persuaded to accept a new biometric system instead of existing authentication technologies, on the assumption that anything biometric must, ipso facto, be more accurate than, say, a password we have to choose for ourself,” he said.


Multi-factor authentication - The way to go

Some like Halde believes, the best approach would combine biometric systems with other protections, such as a strong password or PIN. Having an extra security layer can make it more reliable, even though cost concern would remain in most multi-factor authentication systems.

Ducklin added that a bit of a reality check on how vendors pitch their brand new biometric systems would be a good start. “Be careful not to overpromise - and perhaps encourage people to try new biometric processes as a second authentication factor to start with, so that they aren’t putting all their eggs in a brand new basket right away,” he said.

Sunil Sharma, VP- Sales (India & SAARC), Sophos, pitched in, “Biometrics have had challenges, and one significant obstacle it faces is, you can’t reset it if they’re compromised. Nonetheless, biometric technologies such as lip-reading have overcome that by combining biometrics with passwords. So, it adds an extra layer of protection by allowing users to modify their passwords  in the form of lip-syncing a phrase in case there is a security breach.”

Read more: Biometric Sensor Market To Touch $1.83 Bn By 2024: Study

“To achieve the strongest security, you need to combine authentication solutions together. And multi-factor authentication is fast becoming the norm. While one of those factors is often a biometric, the other is often something we know such as a password, PIN or even a pattern,” he said.

Agreed Ganesh Karri, Chief Solutions Architect and Regional Business Manager, South Asia, Futurex. “Biometric authentication is just one of many technologies vital to creating a strong, multi-layered security profile,” he said.

“Whether protecting sensitive corporate or government data, IoT devices, or even something as simple as one’s own social media or banking credentials, the use of multiple security factors is critical. Administrators should always enforce strong authentication wherever possible, using a combination of methods such as complex passwords, biometrics, smart cards, PINs, or SMS-based one-time passwords,” he added.

Karri believes to prevent from a hack incident, a well-thought out plan addressing all potential aspects of breach response, including those relating to the organizations ongoing operations and any regional or national notification requirements, should guide the decision makers to take the next step.

“An ounce of prevention is worth a pound of cure, and organizations that are security-minded will prepare their people, processes, and technology for all manner of challenges,” he summed up.