Blog: Opinions

Biometric revocation not an option

Joe Bursell 04 Mar 2015


It sometimes feels like biometric authentication has been talked about forever, making the pace of change in the technology seem like it’s going at a snail’s pace in comparison. With Qualcomm’s Snapdragon Sense ID 3D Fingerprint Technology (now that’s a mouthful) they’ve upped the ante by creating something which reads more than the contours of a fingerprint.

For those in the know it’s a challenging but do-able exercise to get someone’s finger print and replicate it; create a dummy one that can then be used to access a device. There’s a great write-up here.

What Qualcomm does differently is that their sensor isn’t capacitive, it uses sound to map the outer layers of a person’s finger, which is mapped in great detail. It looks like that makes it impervious to the dummy fingerprint attack, which is a really smart idea.

It would be even better if combined with another authentication layer or two, such as a PIN or password, or both. 2FA or 3FA in this way it would be seriously robust.

Whatever. When are you going to tell us how to hack it?

I’m not. I’m sure someone, someday will come up with that for you, In the meantime I’m going to explore another angle; revocation.

Data breaches are everywhere or so it seems. When they happen and your password is compromised, you the user can easily revoke that stolen password by creating a new one. That’s one good thing about passwords. It however may also be a reason why some organisations don’t care too much about securing that data; it’s easy to remedy a stolen password and the user does it for themselves.

So, bearing in mind the rise in the number of breaches, and the subsequent leaking of passwords (and what some would call a slack attitude to securing that data in the first place), what do you do if your fingerprint biometric is stolen? How can that be revoked and reset? Do you pop out to your local finger salon and get a bag of new ones? I don’t think so…

The storage of that fingerprint data by the service you use is therefore critical. One single, tiny breach and your fingerprint could become utterly useless for authentication.

There are methods that respond to this, such as taking more than one set of data from a fingerprint. This means that only one set of data of would need to be revoked without the need for a whole new fingerprint. Given enough time and enough breaches, even this would find its limits.

Being sensible

Just because you CAN do something, doesn’t mean you should. Using biometrics as a 1FA wonder authentication is pretty dim. It should be used in conjunction with other factors, always.

Unfortunately, users are already getting used to fingerprint auth as a sole method of unlocking their phones. They’re going to be expecting it more widely in future.

Is a print better or worse than a basic PIN? Maybe it’s better, more resistant to shoulder surfing. Maybe it’s worse, as prints can often be lifted from the very device you’re trying to unlock.

Time will tell, but in the meantime, long PINs and 2FA would be very wise.