With the release of the iPhone 5S and its integrated fingerprint scanner in September 2013, there is a renewed interest in security measures that go beyond simple passwords. While the iPhone's fingerprint scanner is the first enhanced security device that most consumers have come into contact with, they're not the first to hit consumer devices, or the best, or probably as secure as people think they are.
Following the phone's debut, the race has been on to spoof a user's fingerprint or otherwise fool the iPhone's scanner to find a vulnerability. Within two days of the phone's release, a German hacker group claimed to have broken it, but independent tests of their methods have not been successful. In the meantime, users have found that the scanner will respond to parts of their body other than fingerprints, from cats paws, to human toes, to human nipples. But cyber security experts are arguing that fingerprints, or any biometric mark or pattern, should never be used as security measures.
In an article posted in early October, a security buff argues that biometrics will never be secure, and that true security relies on something that is changeable, known only to the person, and relies on personal choice (I'm paraphrasing here). His argument against fingerprints hinges on their ubiquity -- they are everywhere on the device they're being used to secure. He also points out that fingerprints are given fairly regularly by people with professional careers and international travelers, increasing the chances they will be compromised.
In digging deeper and reading up on the subject, the consensus among security experts (and, not surprisingly, those selling security devices) is that the conjunctive use of multiple security measures is the best way to ensure access is granted only to those that have been granted it. The industry term for this is "multi-factor authentication" and you may already be using this without realizing what it is. In 2012, Gmail began allowing users to reinforce their accounts with one-time-use numerical codes sent to their phones in addition to passwords. That's a prime example of MFA.
MFA security relies on a combination of three factors:
Knowledge Factors - Essentially, something only the intended user will know. This is typically a password or a PIN or a pattern. Basically, anything used to open up a smartphone.
Possession Factors - These are things that only the intended user will have. Those random-number-generating keyfobs for bank accounts fall under here, as do Smart Cards (that skinny slot on your laptop that most people don't use).
Inherence Factors - This is a security factor based on an inherent quality of the user and is, as of this writing, entirely limited to biometrics -- retina, fingerprint, voice profile, etc.
If your organization is preparing a security audit or will be upgrading its own security measures soon, here are some tips to consider:
- A unique phrase is harder to crack than a password with special characters. Sure, it might sound more secure to require passwords with one upper-case and three lower-case letters with two special characters, but users forget those and often write them down, compromising security. They are also very easy to crack by modern software. Alternative, a phrase with unique words and spaces, like "won't you gentleman have a pepsi" requires much more time and effort for software to crack.
- There are a number of security measures reliant on the possession factor -- Wikipedia alone lists over 20. Consider your users' needs and habits, as well as the device's vulnerabilities, if you are selecting something from this group. USB ports/dongles can break, LCD screens can ruin if sat upon or bumped too hard, and some require expensive additional equipment.
- Inherence-based security measures should really only be considered for protecting against non-Government intrusions against personal/company data. Fingerprints and other biometric data are given too often, and too freely, to government agencies.