We all thought biometrics were better security…

by
biometrics

Multi-factor authentication (MFA) – which includes biometrics – is an essential step in every cyber security plan.

Multi-factor authentication (MFA) is also referred to as dual-factor authentication (DFA) and two factor authentication (2FA). All have the same function, which is to provide a one-time password (OTP), securely and only to the authorised user, so they can get access to a service. Examples of services that implement MFA for added security are; Microsoft 365, Google, WordPress and Amazon among many others.

We all thought biometrics were better security... Cyber Awake

I use face ID on my iPhone and Windows Hello on my laptop. I have used fingerprint biometrics on my phones when they had it and it is another way to get into my laptop as it also includes a fingerprint reader. Biometrics – the something you have that you would expect no one to be able to duplicate. Even Apple thought of that and its face ID does not work if your eyes are closed, so that someone special cannot open your phone whilst you are asleep!

Well of course researchers looking for that next paper cannot leave things alone. OK if they are doing it in the open, but you can bet the threat actors are doing it behind closed doors.

Researchers Yu Chen, from Xuanwu Lab, Tencent and Yiling He, from Zhejiang University have compromised the fingerprint security across a range of Android smartphones. The research team are calling for the fingerprint scanner and the smartphone manufacturers to tighten up their implementation of the technology to close this flaw.

It is not a quick way to break into a smartphone, but you would assume the threat actors are working on a stolen phone so they have all the time in the world.

It has not been tested on all Android phones – but it does work on some very popular phones. At the moment, iPhones resist the attack.

Your takeaway on biometrics and MFA

I have two:

  • You still need to use MFA – make sure everyone in your team uses MFA where it is available.
  • Have a policy for the use of smartphones (both iPhones and Android) in your organisation if they are being used for BYOD* and holding your information.


Clive Catton MSc (Cyber Security) – by-line and other articles

* BYOD – bring your own device.

References

Chen, Y., & He, Y. (2023). BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack. arXiv preprint arXiv:2305.10791.

Further Reading

Something you know, something you have or something you are.

Are you using Bring Your Own Device – BYOD – to save money?

Featured photo by cottonbro studio

Contact us for consultation

Wake up to cyber threats..

We all thought biometrics were better security... Cyber Awake
HQ Based between Newark and Lincoln

Get in touch

CyberAwake
Unit 2 Kingsley Court
Kingsley Road
Lincoln
LN6 3TA
United Kingdom

01522 508089

useful links

Website Cookies Icon

This website uses cookies to ensure you get the best experience on our website. Click for more information.

accept & Close