cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Are biometrics secure?

Hi All

 

Apparently not, Chinese researchers say they successfully bypassed fingerprint authentication safeguards on smartphones by staging a brute force attack. 

 

https://techxplore.com/news/2023-05-brute-force-bypasses-android-biometric-defense.html

 

Regards

 

Caute_Cautim

4 Replies
denbesten
Community Champion

The fundamental issue described in the article is not the use of biometrics, but rather that the adversary was able to subvert rate-limiting/locking.  Keep in mind the traditional fallback for a phone unlock -- a 4-to-6-digit PIN.  That takes under 1M attempts to brute force, which makes rate limiting/locking critical.

 

Safe is a continuum, not a binary value.  I personally view biometrics as "safe enough" only when combined with other requirements, including rate-limiting/locking and a physical presence requirement (e.g. to unlock phone that is in my hands, but not to unlock a VM with a remote-USB attached fingerprint reader).

 

Caute_cautim
Community Champion

@denbestenI agree, with other measures, but you cannot change Iris's, eyes, fingerprints, or faces, unless you want to willingly undergo surgical procedures at cost.   However, within the next ten years there will be a whole host of different cybernetics augmentations, for the human body to overcome losses or deficiencies, so perhaps one can change eyes, facial features and fingerprints. 

 

But some organisations, can facilitate this if you are willing at a cost.

 

Regards

 

Caute_Cautim

denbesten
Community Champion

Equating biometrics with other authenticators does not work well due to wildly different characteristics. In addition to being permanent, they also are continuously disclosed, difficult to lose/forget, and difficult to clone (presuming one is not a sheep 😀).  I view biometrics more as "another tool in the toolbox", not as part of a "chose one" set.

 

Unlocking a logged-in device that one has in their physical possession is one of the few good use-cases I see. The reason being that I can use the "convenience" of FaceID as a trade-off to gain acceptance of a security goal, short (1-minute) idle locks.  

 

Coupled with that though is biometrics are insufficient when the situation becomes suspicious.  For example, a PIN is required after an iPhone reboot, and one must reauthenticate to add a new camera on a Windows.  And as failed in the original article, when rate-limiting has been exceeded.

 

Caute_cautim
Community Champion

@denbestenAll good commonsense, although this appears to be a rarity these days!!

 

Unfortunately, some governments see this as a means of advertising digital identity initiatives and grand standing, whilst others use such techniques for mass surveillance purposes.  The public definitely needs to be kept informed.

 

Regards

 

Caute_Cautim