How our skin protects our smartphone – and where it needs additional protection.
A tap of your finger or a fixed gaze into the camera of your smartphone or tablet are enough to unlock it. That is more convenient and faster than entering a long password. But is it secure?
Methods currently in use
- Fingerprint sensors: If you apply for an electronic passport or a new ID, you realize how widespread biometric methods are. Most mid-range smartphone devices are already equipped with this kind of sensor.
- Face recognition: Apple calls its method “Face ID”, while Microsoft calls it “Windows Hello”. In both cases, the operating system records the user’s face. If your tablet or smartphone is locked, a look into the front-facing camera is all you need. This works even if you take off your glasses momentarily.
- Iris scanning: A function that recognizes the iris of the user’s eye is less common but falls into the same category. The iris also has an individual pattern.
Is my biometric data secure?
The biometric markers have to be stored on the device to enable a comparison between the data received by the sensor or camera and that of the reference pattern. This leads security-conscious users to ask whether attackers have access to the reference patterns on their phones.
In fact, this cannot be completely ruled out, because the device manufacturers play their cards close to their chest. This is why it is entirely possible for your own fingerprint to be copied off your device with a Trojan.
Apple is exemplary in this respect. In the case of Face ID, the references are initially saved to a computational model. The reference itself is stored in an encrypted area in the iPhone. Images are not stored on the device; only the data of the computational model is.
Biometric security keys are primarily convenient
Biometric patterns for unlocking a device primarily add convenience because they let you log in faster. While our biometric patterns are individual, this does not make them more secure than a password, if only because we always have them with us.
People leave their fingerprints everywhere, all the time, every day. If a criminal made the effort to pick out a certain victim, it would be easy to steal a glass from a café to get a sample fingerprint. And security researchers have succeeded in tricking the recognition mechanisms of the devices in laboratory conditions using special photos or synthetic imitations of fingerprints. But such attempts at attacks are not suited to the bulk of devices currently in use.
If you prefer to lock your smartphone with face recognition or your fingerprint, go ahead and do it. That is still more secure than no lock at all. However, biometrics is not more secure than a strong password.