Monday, 23 September 2013

The mainstreaming of biometrics

Well, in the end, it took a day.

A day for someone to claim that they had hacked the fingerprint scanner on the latest iPhone 5S (Apple Touch ID fingerprint tech 'broken', hackers say - http://www.bbc.co.uk/news/technology-24203929 ).

And, frankly, it’s a bit worrying.

No, I don’t mean that it’s worrying that the iPhone 5S has been hacked - to anyone in the Information Security or IT Security fields this news is something that was expected. The scary bit for us is that biometrics are really starting to hit the mainstream - and if it's arrived for the Apple Fanboys then it'll soon be mainstream from other manufacturers too.

My worry is this - because it’s on their shiny new devices, your typical user will think their devices are secured, but instead the security issues are still as worrying as before but with a whole new dizzying bag of worms attached.

All this reminds me of something that Richard Feynman, a Nobel prize-winning physicist, once said about physical safes - people think their stuff is safe in a safe, because it’s called a safe.

But what are biometrics then?  Brief recap - biometrics are all about what you are (you have brown eyes, for example) rather than what you know (like a password) or have (like a key). And to me, they aren’t really about safety - they are about ease of use. And just like passwords or fences or concrete bunkers - you can have good implementations and bad implementations.

Biometric scanners of all sorts and types have been around for donkeys years and are implemented all over the place - but after the latest 'governments can read my data' scandal, suddenly there is a lot of concern about the use of biometrics in such a high profile device from such a high profile manufacturer.

Now, imagine that we start getting fingerprint scanners on every kind of device. Isn't it a bit like using the same password for everything (and we know how bad that is)? Basically, in security, it is generally a very bad thing to put all your eggs in one basket. So, the crux of the issue is this - you can change a password, how do you change your fingerprint?

If you have time, I would heartily recommend listening to the latest edition of the BBC Radio 4 programme 'Inside Science' - they have a great little segment on biometrics. It's available on iPlayer and starts around 17 minutes in.