Apple’s Touch ID fingerprint scanner seems to have fueled an important but ill-informed and ultimately nonsensical debate about biometrics and privacy. The latest example is this muddled editorial in the Sept. 22 New York Times.
The Times editorial, and a great deal of other discussion of the issue, errs in confusing two completely different uses of biometric data: authentication and identification.
The iPhone uses fingerprints for authentication. It scans your finger an checks if it matches previously recorded data (read this for a deep dive into how the process works and why it is secure.) You can record up to five prints. If you want one of them to be your cat’s paw, fine. You can give your cat access access to your iPhone. The phone does not care who the print actually belongs to, just that it matches.
This is what authentication is about. You attempt to access a system claiming to be Mr. X. The system confirms that this is the same person (or cat) who previously claimed to be Mr. X. It offers no warranty whatever that the person claiming to be Mr. X is Mr. X or, indeed, that Mr. X exists.
Authentication is relatively easy. It is still non-deterministic and, like any other statistical process, subject to both false positives (accepting a print it should reject) and false negatives (rejecting a print it should accept.) But a properly designed system with a good sensor, like Apple’s, can keep the rates of both types of error very small. And as long as the biometric data is stored locally and securely, as Apple maintains is the case with Touch ID, there is no real privacy issue. In fact, biometric authentication can increase privacy by reducing identify theft.
Identification is what happens when the police find a fingerprint at a crime scene. The FBI lab must compare this unknown print to millions of known prints in its database in search of a match. The likelihood of both false positives and false negatives is much higher than in the authentication case and the quality of any match–the probability that it is not a false positive–may be low. (Good defense lawyers know how to challenge expert witnesses on the quality of fingerprint matches.)
Fingerprint matching is at least backed by decades of experience and a fair amount of science. Other forms of biometric identification, such as face recognition in crowds, is far more problematical. As Adam Harvey pointed out in an Ignite talk at the Privacy, Identity, Innovation conference in Seattle last week, the current state of technology makes it all but impossible to capture useful biometric data without the cooperation of the target. You have to touch something, hold still for iris scanning, or at least look squarely into a camera with you face unobscured. At best, the data we collect from tens of thousands of surveillance cameras is good only for after-the-fact identification of suspects.
But the technology for on-the-fly biometric data capture is only going to get better. This, not Apple’s fingerprint scanner, is what poses the real threat to privacy and where the debate ought to focus.
19 thoughts on “Sense and Nonsense About Biometrics”
Thanks for a clear and cool-headed description of the situation. Most of the discussion elsewhere seems to be guided either by religious faith or hysterics.
Assume you could get raw data of the sensor, you still need to convert that data back to a live finger in order to use it. I doubt you could take persons stem cell create a live finger with exact fingerprint all grown in a government lab.
Best a hacker can do is to replace your data with theirs which also need to go several hoops. All that without encryption and hash data which is even more difficult problem.
Looks like I spoke too soon.
It is broken already.
Spoofed, maybe. All you need is a high res photo of my fingerprint. Got one?
“It is broken already.” – dr.no
Define “broken”. Are locks “broken” because duplicate keys can be made?
Any security system can be beaten. Security is about making the cost so high that it’s not worth the effort.
The Chaos Computing Club hack is interesting. but this predictable assault does not significantly reduce the value of Touch ID. To get into my iPhone 5s, you need physical possession of my phone, a high-resolution photo of my registered fingers, and skill to make a latex cast of my finger. These requirements mean this is not a very practical attack.
OK, this is the kicker:
“iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team.”
“Easily” faked? What I saw demonstrated, there was nothing “easy” about it. They also stretched the bounds of “materials found in any household”. Sure, I suppose EVERYONE has theatrical glue laying around. I don’t. And I work in the industry.
But let’s never mind the materials. That still takes a LOT of skill to make a _clean_ fake, even by their own description. Have you ever tried to _cleanly_ lift a finger print? Are _you_ good enough to clean up the digitized finger print in ANY photo editing software?
“Broken”. Hardly. Never mind “easy”. This is the work of pros.
The theft of the print itself also requires the active cooperation of the owner of the finger. Perhaps this could be obtained under duress, but it also argues against “easy.”
“The theft of the print itself also requires the active cooperation of the owner”.
No – I believe the print was lifted from a glass.
Or it might be lifted from the iPhone itself.
Really, using a fingerprint to secure a phone is like writing your PIN on the back of a bank card.
Of course this is assuming you are even able to get the _correct_ finger print, much less a clean or complete enough version of the correct finger print. I watched the video over at ars technica, too. So far all the “hacks” are in very controlled conditions, they know what they’ve done, where they’ve put the finger print in question, how well placed they made the finger print, and that it is the correct finger print. In both hacks I’ve seen, they both have active cooperation of the “owner” (usually themselves). “Trivial” to someone who has the time, inclination, and skills. In other words people already set out to do this kind of stuff and who probably have a whole toolbox full of ways they can hack anything.
AFAIK he provided a perfect print on a clean drinking glass of the correct finger.
Essentially, that is the perfect transfer medium, and counts as cooperation. The only thing he could done more was to get inked up and give a perfect fingerprint on paper.
From this everyone is leaping to the conclusion that you can just pull prints off the phone and unlock it. But a handled phone will be a mess of smudged overlapping partials. I doubt a CSI team would get lucky enough to find a clean enough print to unlock the phone, on the phone.
This is like the Bart Simpson defence:
“It won’t be spoofed!
I never said it couldn’t be spoofed!
It doesn’t really matter if it is spoofed!!!”
You don’t make up security as you go along. Apple should not release a “security” mechanism with no performance specs (just anecdotes about its liveness detection won’t be tricked by dead fingers), and then meekly wait for attacks and ad hoc rationalization that the security is still good enough.
Consumer biometrics is all about convenience, not security. And that would be fine if vendors were up front about it, but they’re not. And that’s the point of the “hacks”. They show that that biometric security is flaky: no standards, no meaningful specifications, no public threat & risk assessments, no test protocols, no way to quantify these vague soothing justifications that the fingerprint detector is “good enough”.
My first post on Touch ID called on Apple to be more transparent about the security mechanisms used in Touch ID. What we have learned since, unfortunately not in the form of official Apple statements, is generally encouraging, but I still wish they were more forthcoming.
That said, I don’t regard the fingerprint lift as a very serious threat. It does require the cooperation of the owner of the finger (or the incredible luck of finding a complete, perfect print of one of the phone owner’s registered fingers) and even then, the process of producing the fake print is difficult and exacting.
In security, the questions are always how good is the protection relative to the value of what it is protecting and how good is it compared to the alternatives? I think Touch ID will stand up well on both counts.
They proved they could fake a fingerprint (although it is not trivial) breaking into a device is far different.
I just couldn’t read past this aside: “read [link] for a deep dive into how the process works and why it is secure”.
If biometrics advocates are calling for “perspective” in the way critics use the CCC hack results, then by the same token, advocates must stop using the word “secure” without qualification. Maybe we can all agree that on its own “secure” is meaningless. All the more so with biometrics when there are no standards for real world performance testing, and no specifications for liveness detection.
One of my problems with the biometrics industry is vendors know there are no standards for what they do, and yet they continue to play fast and loose with words like “secure” and “unique” and “liveness detection”.
“Secure” in this case, has two senses. One is that the system can reliably authenticate the user, i.e., that it can keep false positives to a very low level. I do not believe the Chaos Computer Club hack changes that level of security significantly; the trick is simply too difficult to be a reasonable path of attack and there are alternative protections against the worst attacks. (Someone steals you iPhone at gunpoint and forces you to submit to having your fingers photographed. This works for as long as it takes for you to revoke the phone’s credentials.)
The second security issue is the protection of the biometric data stored in the phone (if it’s stored elsewhere, it’s not secure, as far as I am concerned.) This is harder to test, but it looks like Apple has done a good job protecting the data.
There is no perfect security. It is all stochastic. I ideal in any security system is to make the cost of breaking it greater than the value of what you are protecting. We can’t always achieve that, but good security raises the costs to attackers.
In the case of the iPhone, we also have to compare what Apple has provided what was available before. For phone access, Touch ID is unquestionably stronger than nothing, which was the case on about half of all iPhones, or the passcode, usually four digits, on the rest. It is also stronger than the reusable passwords for access to the iTunes Store. Is it strong enough to protect nuclear launch codes? No, but that isn’t what it is being asked to do.
Great article Steve.
Excellent article and it is sad it is necessary
I think you don’t only have to look at fingerprint technology, but also how it is implemented in a system.
In Apple’s case the fingerprint is backed up by a password and other security measures, and it times out, so a possible infiltrator has to be pretty quick in getting a clean print of you, make a fake thumb etc.
The implementation and combination with other security features that are already established, mature technologies makes it or breaks it imho.