Biometrics are nothing new to the IAM space, yet it seems that security measures like fingerprint readers and retinal scanners were reserved for highly regulated industries, the government and the movies; but all of that is changing. Advancements in consumer technology are changing the way we approach technology. MP3 players existed before the iPod, smart phones existed before the iPhone, tablets existed before the iPad, but Apple made them cool. When Apple confirmed the rumors of the fingerprint scanner in the latest iPhone 5s, I was excited. No one likes security and given the option, users tend to forego security measures for the sake of simplicity. That being said, if you can find the right balance between security and usability, people will opt for security. Apple may not have invented the fingerprint reader, but just like the iPod and iPhone, they made it “cool.”
Personally, I’m an Android user so I’ve been waiting for Samsung’s response to the iPhone 5S and the rumors were confirmed at Samsung Unpacked 2014 last month. As you might expect from an IAM consultant, I am very concerned about security – but I loathe passwords – so I can’t wait to get my hands on the GS5. But before I take the plunge, I need to know how Samsung will secure my biometric data. One of the benefits of a password is that it can be changed, but if the biometric template containing the information about my fingerprint is compromised, what am I going to do? I suppose I could chop it off, but then I’ll only have 9 “passwords” left and eventually it will be difficult to lift my coffee mug.
Apple made a point to explain their security measures to consumers. Apple’s “Touch ID” does not store any images of fingerprints; instead it stores a hashed mathematical representation of your fingerprint. This is good news because if the data is ever compromised, new hashed indexes can be issued with the same fingerprint and you don’t have resort to melting off your precious arches and whorls.
In addition, the “Secure Enclave” is separated from the rest of the A7 chip so your fingerprint data can’t be accessed by any other applications or even other aspects of iOS itself. Lastly, the data is never backed up to iCloud or stored on any third party servers. Overall, I am confident in Apple’s security measures and I would have no problem storing my fingerprint with iOS, but what about Android?
I’ve done quite a bit of digging and while everyone is talking about the new Gear 2 and Gear Fit, few are talking about security. I did find that the PayPal integration works through the FIDO Ready™ software on the device, and according to the FIDO alliance specifications, biometric information should never leave the user’s device. This is great news, but I still want to know a little more – How are my fingerprints stored? What prevents other applications from accessing the data? Is it backed up? Unfortunately, I have not yet been able to find much reliable data on the security measures taken by Samsung.
When Samsung finally does publish details on their security controls, I will be sure to post an update; in the meantime, what are your thoughts? Are you concerned about the privacy of your biometric data?
Update 05/08/2014:
Unfortunately, Samsung has yet to publish any information on their website, in the Samsung Galaxy S5’s user manual, or any other channels, regarding the security measures that have been put in place to protect the biometric information contained on the device. When I spoke with customer service about this I was assured the following:
A. The fingerprint information is stored as an encrypted proprietary value, on the device itself.
B. The information is not shared with third parties or any other remote server.
C. Third party applications can only access whether or not there was a successful or failed identity validation.
Which sounds great, I just wish Samsung felt confident enough in their security measures to publish them.
By Bryan Cole, Identropy
About Identropy
Identropy is a leading Identity as a Service (IDaaS) provider, whose offerings enable organizations to derive maximum value from their Identity and Access Management (IAM) initiatives in the most cost-effective manner. Providing domain expertise across the entire IAM lifecycle, Identropy’s Advisory, Implementation and Identity-as-a-Service (IDaaS) service offerings have already benefited more than 150 organizations. Identropy’s innovative Secure Cloud-based Unified Identity (SCUID) platform enables organizations to reduce the cost and complexity, optimize day-to-day management, and accelerate time-to-value of their IAM investments. Founded in 2006, Identropy is a privately held company. For more information visit www.identropy.com.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.