1

As Google endeavours to do away with passwords, biometrics authentication as a method of proving identity has gained popularity. Logging into a system using a fingerprint or other biometric data would be something that is very difficult to steal. HSBC and First Direct have opted for voice biometric verification for its personal and business accounts customers.

Would remote biometric authentication be as efficient, secure and robust as we would like it to be? What role could mobile phones apps (i.e. ios 7)play for remote biometric authentication applications?

BitsInForce
  • 305
  • 1
  • 10
  • Please clarify. Are you referring to logging into a system on the same device (i.e. my Online Banking app), or when you say "Remote" are you referring to an alternate device? (i.e. using my Phone to unlock a Door or Laptop) – 700 Software Aug 01 '16 at 15:57
  • Nowadays, it does not matter what device you use to login, they are all connected. i.e. If you start with a laptop, and try to login with a smartphone or an iPad, sometimes, you find that you are already logged in. Remote refers to the availability of any device which can access the internet. – BitsInForce Aug 01 '16 at 18:03
  • You mind find of interest: Windows Hello with Windows 10 Mobile has the technical capability to use biometric auth to (highly oversimplifying) store and unlock use of a web service credential in a phone's TPM. Off hand, only the Lumia 950 comes to mind as currently having the hardware for robust biometric authentication --iris recognition. (The same mechanism works with Windows 10 PCs that use biometrics.) Last I heard there was still only one site (a bank) involved with trialing this. Just one of the most recent implementations of robust biometric auth on mobile that be worth a look. – mostlyinformed Oct 01 '16 at 07:22
  • Some technical details, from documentation for devs: https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/device/web-authentication/. Shame it apparently hasn't gotten very aggressive promotion among potential Windows 10 devs from MS. – mostlyinformed Oct 01 '16 at 07:32

2 Answers2

1

Biometrics should never be used for direct remote authentication. It suffers two major flaws:

  • it must be stored in clear text or at least with an invertible encryption on the server - it has been discussed many times why it is not possible to store a hash of a fingerprint, mainly because what the captor sees may be slightly different on each time
  • it cannot be revoked if compromised

So if one server has an image of your fingerprint to authenticate you, and if someone manages to get an image of it (from the server, from your passport, from a beer glass, etc.) he will be able to authenticate on behalf on you and the only thing you will be able to do is to find another authentication method.

The correct way (which is described on a Microsoft's page about that is to have a private key on a local system (say a mobile phone) and that key is locally secured by your fingerprint. But even in that case, all is stored on the mobile phone(*) (the private key, and an image of the fingerprint in an invertible form), so if it is stolen you must immediately ask the server to revoke the current key. The good point is that as the key is an asymetric key independant of the fingerprint, you can easily revoke it, and create a new one to use on your new phone.

(*) That means that is the phone can be unlocked with the fingerprint, you have not a multi-factor authentication system, but only a something you have.

That being said, for securing a local device, a fingerprint is probably less secure than a good password because it may exist on your passport and on the last glass you have used, but certainly more secure than a trivial one and at least you should never forget it...

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
  • Additionally, with all biometrics you need to balance false positives and false negatives, so there is always a region where similar fingerprints may match the correct one, for example. – Rory Alsop Mar 30 '17 at 10:19
-1

Biometric systems are more secure than voice systems (I have personally experimented with fooling a voice authentication) but I feel that the bigger problem will be in making it accessible.
Currently the hardware to support biometric authentication is not present in many mobile phones. Especially the mid range ones.
In countries like India, Bangladesh and such, it will take years for general mass or even a critical mass of users to have access to such phones and hence the technology to be a norm.

Limit
  • 3,236
  • 1
  • 16
  • 35
  • It does depend which kind of biometric authentication. Face recognition is also a kind of biometric authentication, but very easy to trick with a simple picture of e.g the phone-owner. – O'Niel Jul 02 '16 at 15:27
  • Actually when the op talked about new phone models, I assumed it was about fingerprints – Limit Jul 02 '16 at 15:35
  • This thread [link]http://security.stackexchange.com/questions/1680/biometric-versus-other-two-factor-authentication-mechanisms?rq=1) is similar to our discussions in that it compares biometric and other two factor authentication – BitsInForce Jul 05 '16 at 18:09
  • "Biometric systems are more secure than voice systems" how you compare the two, voice recognition is just a way to biometric check. – elsadek Dec 30 '16 at 07:10