Biometric technology: Looking to the future

Welcome to Threat Intel’s #WednesdayWisdom column, which aims to help improve your cyber security knowledge and keep you informed on important developments.

Issues around the security, reliability, and privacy of biometric technology were catapulted into the headlines recently when Apple introduced its new iPhone X to the masses at its annual event in California.

The iPhone X is the first iPhone to utilize facial recognition technology, and its introduction has led to both privacy and security experts expressing concerns that using this technology might make it easier for people — including law enforcement and border control officials, as well as potentially hackers — to unlock people’s phones, potentially against their will.

Apple, of course, disputes this, and also says that the chances of a random person being able to unlock your phone with their face is one in a million.

However, its introduction has brought to the fore again questions about biometric technology, and how secure it may be if used for things like unlocking your phone or making payments in shops.

What is biometric technology?

Dictionary.com defines biometrics as “the process by which a person’s unique physical and other traits are detected and recorded by an electronic device or system as a means of confirming identity.”

Apple’s move into using facial recognition is far from the first time we have seen biometrics being used as a security feature on mobile phones — the iPhone fingerprint scanner, which will be replaced on the iPhone X by the facial recognition technology, has been a feature on the iPhone since the launch of the iPhone 5s in 2013. That is something that many of us got so used to that it will be a wrench for it to be replaced with new technology, demonstrating, perhaps, how quickly the public can adapt to new types of authentication.

However, as there were security concerns around fingerprint scanning technology, which it was possible to spoof, there will also be concerns about facial recognition technology. Iris scanning technology and facial recognition technology on Samsung’s S8 smartphone were both cracked by researchers using photographs. This highlights one of the main issues some people have pointed out about using facial recognition for security: unlike your fingerprint, people can see your face when they’re in your presence, and it is likely many photos of it exist online. This prompts some questions: could someone unlock your phone with a photo? Could people restrain you and hold up your phone to your face and unlock it that way?

Apple has said that its Face ID technology means that a person’s phone could not simply be unlocked with a photograph: the iPhone uses an infrared system to project a grid of 30,000 invisible light dots onto a person’s face to map it in a 3D shape. You also have to look at the phone for it to unlock, so you could not hold it up to the face of its sleeping owner to unlock it. However, while this technology certainly sounds more secure than what has gone before it, it doesn’t guarantee it is unhackable. The real test of it will be when the iPhone X becomes broadly available and researchers and others have a chance to test its security.

Another concern around the use of biometric technology on mobile phones, which also applied to the existing fingerprint technology on so many phones, is that the law about whether or not you can be obligated by a member of the authorities to unlock your phone is a grey area. It has been established in the courts in the U.S. that, under the Fifth Amendment, an individual cannot be forced to reveal the PIN that will unlock their phone, but whether or not they can refuse to unlock it using biometrics has not been definitively established.

Ultimately, while the ability to unlock devices using biometrics may offer greater convenience, it is not as secure as protecting your phone with a complex and unique PIN. If privacy is your concern, then a secure PIN is probably still the best way to protect your phone. However, it should be noted that, in the UK, convictions have been brought against individuals who have refused to hand over their passcodes when entering the country.

Be still my beating heart

Mobile phones are far from the only area in which we are seeing biometrics being used for authentication and security.

Some researchers have also recently put forth the idea of using your heartbeat to log in to computers and mobile phones. In 2015, MasterCard and Canadian biometrics company Nymi completed the first “in the wild” credit card transaction that was authenticated by reading the user’s unique heartbeat pattern. The transaction was carried out using Nymi’s dedicated payments authentication wristband. The company has claimed the technology could be built into other fitness trackers and smartwatches, and it says it can be used anywhere that accepts contactless payments.

MasterCard is somewhat at the forefront when it comes to trialing ways to use biometrics to authenticate payments. At Mobile World Congress last year it introduced the idea of “selfie payments”, where users would take a selfie to authenticate their identity. It included this software as part of its Identity Check Mobile rollout in a number of European markets in late 2016.

Ears, which have distinct characteristics unique to an individual, have also been mooted as a part of the body that could be used as a unique identifier, and even as a way to authenticate payments.

Another recent story that raised eyebrows and inspired headlines was when a company microchipped its employees to allow them to scan into their offices and do things like purchase food without needing anything as old fashioned as an access card.

So, will biometrics and microchipping eventually mean that we no longer need passwords or ID cards and our body will literally be what identifies us? Time will tell.

However, while the advantages of biometrics are, of course, that they are much harder to guess or spoof, the problems are that if your biometric identity is compromised somehow there is little you can do about it — it is a lot more difficult to change your face, heartbeat, or gait than a password.

Predicting the future

As biometric technology advances, many people are naturally asking what will be next? In the always fast-moving world of tech it is hard to say. But some observers have speculated that Apple’s face tracking will lead to people becoming more accustomed to having their faces tracked, with the potential in the future to have technology that not only recognizes your face, but could perhaps even predict how you are feeling from your facial expression.

However, the Minority Report style future that sort of speculation brings to mind is probably still some time away.

For now, for those purchasing the iPhone X, the best advice is probably not to put all your eggs in the facial recognition basket, but to also ensure you have a good password enabled to keep your phone secure.

Don’t put all your eggs in one basket when it comes to mobile phone security

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.