We have a password problem and there’s nothing to deny about it. According to Dashlane, the maker or a popular password manager, the average user, since 2015 had at least 90 online accounts. In the UK, the number was 118 whereas, in the US, the number is 130. These number of online accounts not only pose a massive security risk but is also difficult to maintain. What is more troubling is that we store a lot of these account details on our phones. Therefore, anyone who has control over your phone has access to most of your accounts.
Fingerprint locks seemed to be the solution. It is something that is always with us, something that we cannot “forget” and dactylogram complexity supposedly makes our prints nearly impossible to crack. The reality, however, is rather different. Of the various reasons to not use fingerprint locks, for me, three stand out:
Fingerprints can be hacked
You leave fingerprints everywhere. It’s probably even there on your phone. Other than that, doorknobs, railings, photos – we leave fingerprints on almost everything that we touch. So, hackers have a lot of places to steal your fingerprint from.
The Chaos Computer Club demonstrated this as far back as 2008. To protest a German politician’s proposal to implement biometrics, the club used a photograph to recreate his fingerprint. In 2013, it used latex to create a fake finger to open a lock. More recently, the approach has been repeated with playdough and Elmer’s glue, highlighting just how easy it is becoming to recreate physical prints.
Worse yet, fingerprints can also be hacked virtually. At the 2015 Black Hat convention in Las Vegas, a couple of security experts demonstrated a number of hacks for fingerprint locks. They built an app that mimicked a phone’s unlock screen; when used by the victim, it could approve a financial transaction. They pre-loaded fingerprints onto the phone, enabling access. They showed it was relatively easy to rebuild a fingerprint from the file used to store it. And they hacked the scanner itself, allowing them to grab fingerprint images whenever used.
You cannot change fingerprints
If your password is stolen, you can change it. What happens when your fingerprint is stolen?
This is something that is often overlooked. Fingerprints are forever and once the bad guys have them, there is nothing that you can do. Even when you are sleeping, people can unlock your phone by tapping your finger on the fingerprint sensor if they are careful enough to not wake you.
This is particularly disturbing when you consider how many government organizations collect fingerprints and the increasing number of private firms using it for authentications.
Police don’t need your permission to unlock a phone with biometrics
A fingerprint is a physical evidence and the police have the right to gather it during any form of investigation. Therefore, they will not even need your permission to unlock your phone. This is not the case for passwords or PIN codes.
Fighting the FBI to a largely unresolved standstill over access to the phone used by the San Bernardino terrorist, Apple made the legal argument that the FBI was attempting to force Apple to speak — and speak against its own interests, something that should not be allowed. The FBI dropped the case after paying a third party to hack the phone. While rent-a-hacker proved effective, it also proved rather expensive; and for the time being, most cases are unlikely to warrant such an investment.
So, what are the alternatives?
Fingerprints seem convenient but may not always be the best form of security. You can use just one finger to unlock your phone, you do not need to store multiple fingers. In this way, even when one fingerprint is compromised, you have nine other to go with. Also, use a finger that is not commonly used to unlock phone. The little finger or the middle finger are less used than the index finger or the thumb. So, even when you are sleeping, most people cannot unlock your phone in the first attempt.
Use a PIN, better, a password. Android supports both PIN and passwords. These are safer than fingerprints or even pattern unlocks. But then again, fingerprint unlocks are just convenient. So, if you have a lot of sensitive data on your phone, the it is better not to use biometrics.
Of course, it is not expected that people will give up using fingerprint locks. They are just too convenient. Right or wrong, however, the power of government to collect and store information on our digital selves is soaring. The FBI’s Integrated Automated Fingerprint Identification System includes tens of millions of prints not related to criminal activity, collected from military personnel, government workers, and other innocents. And more generally, government files are not always secure. The 2015 data breech at the US Office of Personnel Management included 5.6 million fingerprints, suggesting fingerprints have become one more thing that can be hacked and used to violate our privacy, in this case, for a very long time.