Fingerprints are not enough: Why multifactor mobile security is a must
I don’t, as a rule, love having my Android phone latch onto a huge OS update—and not only because my phone never fails to try that just as I’m leaving Wi-Fi range. As a security professional I know that taking updates as soon as feasible is good practice, but as a privacy specialist I’ve found that updates can be devious about whittling away protections and restrictions I’ve put in place.
But one change in the last big update made me happy, though I see from the Internet that my joy wasn’t universally shared. Recent OS changes de-emphasizing biometric security measures are excellent for security and privacy, even if some online commentary would have you believe otherwise. The days of using your fingerprint exclusively as your biometric pass card are over, and that's a good thing.
[ Take a deep-dive into app sec with our Application Security Trends and Tools Guide, which includes our 2019 App Sec Buyer's Guide. ]
When Marshmallow gets squishy
The updates to my phone’s version of Marshmallow now require that users set a password, PIN, or pattern as an alternate method for unlocking the phone; previously, one could use one’s fingerprint exclusively. This “double verification” applies when the user reboots the device, when the device hasn’t been unlocked for more than 24 hours, or when the user changes the screen lock type or fingerprint settings (e.g., switches fingers). Putting this in security terms, the update added a second verification factor—“something you know”—to the “something you are” that biometric verification represents.
A remarkable number of online commenters were agitated by this change, calling it everything from “the most annoying update in the history of mankind” to “surely overdone.” Don’t be shocked, but the Internet is wrong about something in this case. Pushing Android users toward a mandatory second authentication factor is proof that Android loves us and wants us to be happy—or, at least, that the folks behind the Marshmallow update are apparently thinking more clearly about user security than some of their users wish to.
Decades of police TV shows aside, it turns out that fingerprints are a convenient but lousy way to prove you are who you say you are—especially in the digital realm, where all those whorls and ridges work out to a long but not infinite digital string. (The same goes for iris scans, such as certain Windows 10 phones use for biometric ID.) The print itself may be unique inasmuch as it occurs in nature only on one finger among billions, but a string of data is only a string of data—and phone manufacturers and OS developers and database compilers haven’t always been great at being responsible stewards of that information. Worse, once that data is compromised, it’s toast; you can change your passwords, but fingerprints are a finite resource. (And despite what you see at the ends of your hands, you may not in fact be the only person with your fingerprints—or at least you might not be if someone were to combine images of your fingerprints with decent-quality 3D printing.)
[ Application layer attacks are on the rise. Get key takeaways from the 2019 Application Security Risk Report in this webinar. ]
What's in a fingerprint?
Worse (at least to a privacy person’s way of thinking), when it comes to fingerprints and other biometric identifiers, “something you are” is far less protected by American law than “something you know.” As most watchers of (again) those cop shows know, Americans have the right to refrain from self-incrimination. Over the years, that has been interpreted to mean that the law cannot compel one to reveal the contents of one’s head. Those contents include passwords, PINs, and patterns—the “somethings you know” mentioned above.
Your fingerprints, however, exist not in your head (ew) but on your person—and they exist in a different legal area as well. The courts have ruled over the years that providing a fingerprint is a form of physical evidence, similar to providing a hair sample or appearing in a lineup, and thus the laws against self-incrimination do not apply. In fact, fingerprints are even less protected than other kinds of physical evidence, inasmuch as the police don’t even need a warrant to require a fingerprint.
In other words, if you were for some reason detained by law enforcement and ordered to unlock your phone and you declined to do so, you might be on shaky ground if your phone unlocks using only a biometric. This is not theoretical. Earlier this year, a woman with ties to a Southern California gang was ordered by a federal judge to put her finger on the sensor of an iPhone seized from her boyfriend’s home in the course of an investigation. (iPhones have a two-factor setup similar to that my phone received in its upgrade.) The federal government in the past year has shown an increased inclination to be feisty about wanting greater access to data on phones; this is probably not the climate in which a reasonable person would want to claim that she had the right to security, plus privacy, plus only having to set up a single data protection chosen for one-touch convenience.
I fought the law...
I have no current plans to test American evidentiary law, and I assume you don’t either. In that case, it may be that the security issues cited above—fingerprint data can be duplicated, can’t be reset, and doesn’t get the care it deserves from the tech entities that should be trying harder to protect it—are sufficient to encourage you to embrace two-factor authentication for your phone. (Or, as one article responding to the lock-screen uproar sanguinely put it, “Anyway, the stupid unlock policy is here to protect your data from unauthorized access.”) That situation becomes even more urgent for those who use their mobile phones to download or interact with work-related data on their phones, as the potential for inadvertent data exposure goes beyond one person to encompass the enterprise.
[ Get Report: Gartner Magic Quadrant for Application Security Testing 2019 ]
