We officially have a password problem. The average user in 2015 had at least 90 online accounts, says Dashlane, maker of a popular password manager. In the UK, the number was 118. In the US, a whopping 130. Even more troubling, we store far too many login details on our phones and tablets (I am certainly guilty of this), meaning anyone with access to our phones can also access our accounts.
Fingerprint locks - Touch ID for iPhone users - promised to be our salvation. They are easy to use and depend on characteristics unique to each of us. We are also always attached to our digits, so they cannot be stolen or forgotten. And dactylogram complexity supposedly makes our prints nearly impossible to crack.
The reality, however, is rather different. Of the various reasons to not use fingerprint locks, for me, three stand out:
#1 People can hack your fingerprints (and scanners)
We leave fingerprints behind everywhere we go: on doorknobs, on railings, on cups and glasses, on keypads, on screens, in photos—you name it. So there are lots of places hackers can harvest this supposedly uncrackable password.
The Chaos Computer Club demonstrated this as far back as 2008. To protest a German politician’s proposal to implement biometrics, the club used a photograph to recreate his fingerprint. In 2013, it used latex to create a fake finger to open a lock. More recently, the approach has been repeated with playdough and Elmer’s glue, highlighting just how easy it is becoming to recreate physical prints.
Worse yet, fingerprints can also be hacked virtually. At the 2015 Black Hat convention in Las Vegas, a couple of security experts demonstrated a number of hacks for fingerprint locks. They built an app that mimicked a phone’s unlock screen; when used by the victim, it could approve a financial transaction. They pre-loaded fingerprints onto the phone, enabling access. They showed it was relatively easy to rebuild a fingerprint from the file used to store it. And they hacked the scanner itself, allowing them to grab fingerprint images whenever used.
#2 You can change your password — not your fingerprints
This is so basic it is often overlooked. When my email account was hacked several years ago, I changed the password and the problem went away. But if someone were to hack my fingerprint, they would always have it.
Think about what that means. Fingerprints are forever. Once the bad guys have them, they can keep using or selling them to other bad guys. This is particularly disturbing when you consider how many government organizations collect fingerprints and the increasing number of private firms using it for authentications.
Fingerprints are forever. Once the bad guys have them, they can keep using or selling them to other bad guys.
#3 Police don’t need your permission to unlock a phone with biometrics
It is also important to remember that we are not always in control of our own hands. All someone has to do to get you to unlock your phone is press your fingers against the screen.
This has been allowed in the US, where a judge granted a search order to police officers in Glendale, California. The position is that a fingerprint is “physical evidence”, akin to a physical key, which can be gathered as evidence or demanded by court order. Moreover, fingerprints are readily available because they are routinely collected as part of basic police and legal procedures. And because fingerprints are physical and not “testimony”, they are not protected by the Fifth Amendment’s clause on self-incrimination.
Not so passwords and PIN codes. Forcing a person to show you something “in their mind” is testimonial, and thus coercion is prohibited. Large tech companies (including AVG) make a similar argument about corporate information. Fighting the FBI to a largely unresolved standstill over access to the phone used by the San Bernardino terrorist, Apple made the legal argument that the FBI was attempting to force Apple to speak — and speak against its own interests, something that should not be allowed. The FBI dropped the case after paying a third party to hack the phone. While rent-a-hacker proved effective, it also proved rather expensive; and for the time being, most cases are unlikely to warrant such an investment.
Still, it is within the realm of possibility that law enforcement agencies could force or coerce manufacturers to include back doors to devices for harvesting prints through fingerprint locks.
Final note on fingerprints and security
Of course, I don’t expect people to give up using fingerprint locks. They are just too convenient. Right or wrong, however, the power of government to collect and store information on our digital selves is soaring. The FBI’s Integrated Automated Fingerprint Identification System includes tens of millions of prints not related to criminal activity, collected from military personnel, government workers, and other innocents. And more generally, government files are not always secure. The 2015 data breech at the US Office of Personnel Management included 5.6 million fingerprints, suggesting fingerprints have become one more thing that can be hacked and used to violate our privacy, in this case, for a very long time.