Archive for September, 2013

Biometric authentication approaches

September 25, 2013 Leave a comment

Apple recently released their iPhone 5s with an fingerprint sensor as an replacement to the typical 4 digit pin code. As it was expected by the majority of people in the security space, it only took a few days until the biometry team at CCC (Chaos Computer Club) were able to fake a fingerprint to unlock an iPhone 5s. The article can be found here (german) and here (english). If you’re not willing to read, here is the initial video, which was re-done based upon request of, which is available here.

So what does that mean for biometric authentication?
Although we’re in total agreement that passwords must die, the security features looking promising at first glance did turn out to be just cheap hardware being able to be compromised by just increasing the scanning resolution. Biometrics might be a way to get away from passwords, but not with simple and easy hardware.As the fingerprint sensor was meant to replace the typical 4 digit pin code, this might just have been the first step. But just imagine the impact if the necessary would have been open so far application developers leveraging this technology? In case, your mobile banking account would be open to an attacker easier than before, your credit card data out of the AppStore and so on. So the CCC hack would be the initial (and not very complicated step) to an complete identity theft.

Another approach was taken by the inventors of nymi. They are trying to capture something unique, your heartbeat. But your heartbeat is just a single component of an 3-factor authentication: you’ll need your heartbeat (pretty hard to loose), your nymi device and your authorized authentication device (nymi does call that AAD) like a smartphone, tablet or whatever.. So even if you’d loose your smartphone and someone gets your nymi device, they’re still missing the 3rd component.

But nymi still offers an attack vector from my understanding: the nymi device is using bluetooth to communicate with your AAD, so there is some potential in hijacking the bluetooth connection and all information that is being exchanged via bluetooth.

Looking at the nymi approach, there’s only one conclusion: biometrics itself will not replace passwords (not as long as the devices like fingerprint readers are that weak that they are not able to do an deep scan to distinguish an faked fingerprint) on their own. Biometrics will be part of the multi-factor authentication as replacement for passwords. A good idea might be a combination of the nymi approach with fingerprints: a fingerprint sensor that is able not only to read the skin-deep fingerprint but also the pulse running through the finger. This combination can not be faked at all. And with all paranoia, it does allow certain scenarios: while your left thumb in combination with your heartbeat just enables you to unlock your device, while your right middle finger in combination with your heartbeat and a security code or external token might authenticate you into your corporate network when using private devices as part of an BYOD strategy. Additionally this combination would remove the bluetooth attack vector that is still open with the nymi approach so it would need a physical device hack to intercept the information.

One question is still circling in my head, maybe someone is able to answer that: what happens to your heartbeat in case of an myocardial infarcation or in case you’re getting shocked due to an medical emergency: will such happening influence your heartbeat and potentially destroy your access token?

Categories: IAM, Mobility, Privacy, Security