The iris scanner on the Samsung Galaxy S8, Face ID on the iPhone X and the fingerprint scanner on every smartphone all suffer from the same flaw: Biometry isn’t secure. You have one face, two eyes and ten fingerprints which can’t be changed if compromised, at least not as easily as a password.
When it comes to keeping your smartphone locked down, there’s always a tradeoff between convenience and security. For example, when one of my colleagues tried the LG Q6’s facial recognition feature, he was able to unlock the smartphone by holding up another smartphone with a picture of himself. Once he enabled the rather sluggish advanced face recognition feature, this 2D trick didn’t work anymore.
Even the more sophisticated Face ID from the iPhone X can be tricked. In less than a week, and for less than $150, researchers at a cybersecurity firm managed to create a (very scary) mask that was able to beat Face ID. Even without intending to, family members can breach each others’ iPhones in some cases. A ten-year-old boy was able to unlock his mother’s iPhone X due to their strong resemblance, and Face ID is easily fooled by identical twins.
Fingerprints are even easier to copy than faces since you leave them behind everywhere offline and, sometimes, online. If you look closely, you can see a fingerprint clearly in the photo below, so it could theoretically be copied. Once your fingerprint has been scanned, if it isn’t stored securely, the digital representation of your fingerprint could be stolen. Even though fingerprints are unique and can’t be guessed like some simple passwords, they can still be compromised easily, and you’ve only got ten of them.
Smartphone manufacturers go to great lengths to keep your fingerprint data secure. Here’s how: Apple’s Touch ID saves a mathematical representation of your fingerprint rather than a scanned image of the print itself, encrypts it and stores it on the device itself without backing it up to the cloud. From there, your fingerprint data is only accessible with a particular key, which is then only accessible to what Apple calls the Secure Enclave chip, an ARM-based coprocessor used to strengthen iOS security. On Android, fingerprint data manipulation also requires a device-specific key and is compartmentalized for safety, handled inside the Trusted Execution Environment area of the device’s main processor.
Despite manufacturers’ strong efforts to keep your fingerprint and other biometric data secure, you still leave fingerprints behind everywhere you go and your face is always ready to be caught on camera. Since you can’t get around this basic flaw of biometry as a means of security, it makes sense to turn to other options. PIN codes and swipe patterns aren’t secure because they can easily be revealed by the oil and dirt smudges on your smartphone’s display glass. The best alternative is simply a strong password. That means using letters, numbers and symbols, and also never reusing the password.
How do you keep your smartphone secure? Do you value security over convenience?