In this week’s tutorial, we’re covering biometric best practices as a follow-up to last week’s 2FA tutorial.
Numerous smart devices use biometric identification, usually through fingerprints, TouchID, or face scanners. Biometric identification is being promoted as a simple alternative to using a PIN number or a pattern to unlock a device. However, many individuals are unaware of the dangers associated with using biometric data to unlock devices, since the technique is not as safe as using a PIN number.
While this may seem odd given that a fingerprint is unique to each individual and a face is very difficult to duplicate, it is rather simple to trick a smart gadget into opening using biometric information.
Individuals are capable of hacking your fingerprints.
We leave fingerprints on everything, including door handles, handrails, computer displays, cups, and, in my case, my spectacles, due to the oils in our skin. It’s a great deal. We leave copies of our fingerprints everywhere, which is why forensic investigators search for fingerprints so carefully at the scene. The FBI’s Integrated Automated Fingerprint Identification System has tens of millions of prints from military members, government employees, and other innocent individuals. Additionally, government records are not always secure. 5.6 million fingerprints were compromised in a 2015 data breach at the U.S. Office of Personnel Management.
In 2008, the Chaos Computer Club replicated and used a German politician’s fingerprint proposal for biometrics implementation. They did this as a protest and to demonstrate the vulnerability of biometric data. The group recreated his fingerprint using a high-resolution picture. They repeated the stunt in 2013, this time using latex to construct a fake finger to unlock a lock. Recently, the technique was replicated using playdough and PVA glue, demonstrating how simple it is to reproduce tangible prints.
A pair of security professionals showed off a variety of fingerprint lock breaches during the 2015 Black Hat conference in Las Vegas. They created an app that resembled the unlock screen of a phone; when used by the victim, it could authorize a financial transaction. They enabled access by pre-loading fingerprints onto the phone. They demonstrated that it was very simple to reconstruct a fingerprint from the file that contained it. Additionally, they hacked the scanner, enabling them to capture fingerprint pictures anytime it was used.
Governing laws.
Protections vary according to where you reside and local law (if they exist at all).
The fourth and fifth amendments safeguard the citizens of the United States. You cannot be compelled to unlock your smartphone unless you are detained, the police have reasonable cause, the police have a search warrant, or you voluntarily agree to a search. You are protected against self-incrimination and unreasonable search and seizure. In the United States, police officers cannot compel you to unlock your smartphone unless all of the following are present. This will occur, however, only if you are using a PIN or a password.
If you’re logging in using a biometric identification method such as a fingerprint or face scan, the police may compel you to look at your phone or touch the TouchID sensor. Additionally, courts have issued search warrants to police officers to allow biometric access to a device. The view is that a fingerprint is “physical evidence,” comparable to a physical key, that may be collected as evidence or obtained according to a court order. Additionally, fingerprints are easily accessible due to their regular collection as part of standard police and judicial processes. Furthermore, since fingerprints constitute physical evidence rather than “testimony,” they are not protected by the Fifth Amendment’s self-incrimination clause. However, there may be repercussions if you refuse to unlock your phone.
Citizens in the United Kingdom face fewer safeguards since police officers may use Section 49 of the Regulation of Investigatory Powers Act 2000 (RIPA). This implies that police may seek disclosure if it is necessary to prevent or detect crime, if it is necessary for national security, or if it is necessary for the UK’s economic well-being. This definition is very broad, to the point that it encompasses any offense, no matter how small. Refusal to comply with a notification issued under section 49 of RIPA has a maximum penalty of two years in jail, or five years in instances involving national security or child indecency.
Law enforcement authorities may compel or persuade manufacturers to install back doors in equipment used for fingerprint lock harvesting. Police brutality is a reality in various areas of the globe, although to varying degrees.
You have the option to change your password. You cannot alter your biometric information.
In the worst-case situation, if your privacy and/or security are compromised, changing your password or PIN code resolves the problem. If a fingerprint is hacked or duplicated, the data will always remain, allowing the system to be accessed indefinitely. Fingerprints are immutable. Once obtained by an individual or group, they may be reused or sold to other hostile organizations. This is especially concerning in light of the large number of government organizations that collect fingerprints and the growing number of commercial companies that use them for verification.
To be completely transparent, I do not utilize biometric data to unlock any of my smart gadgets and instead rely on PIN passwords.