My Next Phone: Security – Fingerprint Sensors

The Lock Screen

We all do it: we secure our device with a pattern, PIN or password that we use to unlock the device. It’s one of the most simple security measures to use and set up on a mobile device.

But for the people who just can’t be bothered to enter a password every time you receive a text message (i.e. myself), there’s a new way of doing things: fingerprints.

Fingerprint sensors aren’t a new technology, and they’ve been on Apple’s iPhones and Samsung’s Galaxy devices for a couple of years. But the feature is now steadily creeping onto more and more devices, including budget smartphones below the £/$150 mark.

Devices such as the LG G5 and Huawei P9, phones I’m considering for their unique cameras, both have fingerprint sensors on the back of the phone, as opposed to the iPhone 7 and Samsung Galaxy S7 which have a Home Button and fingerprint Sensor combination on the bottom bezel at the front of the device.

A fingerprint sensor can not only be used to unlock the device, but also as a secure method of authorising a payment or purchase. Fingerprint technology is therefore being implemented into mobile payment systems such as Apple Pay, Android Pay and Samsung Pay, and fingerprints can also be used on Android, in the place of a password, when buying digital items and apps from the Play Store.

Fingerprint Sensors: Are They Safe?

Even if a fingerprint is supposed to be more secure than a password, what’s to stop anyone from hacking the data of my fingerprint and being able to use it in future.

Maybe I’m being too paranoid, and maybe I’ve seen too many shows and films like 24 and Mission Impossible, but I don’t feel safe putting in another entry of personal information into my phone.

Also, what’s to stop someone from figuring out a way to bypass this security measure and unlock my device?

Fingerprint Variants

Naturally, I had to do a bit of reading on this. As Android Authority notes in this article published 13 December, there are three types of fingerprint sensors: optical, capacitive, and ultrasonic.

Optical Fingerprint Sensors

Optical sensors work like cameras, and take a digital photograph of your fingerprint. They then use an algorithm to detect “unique ridges and patterns” on your fingertips. Apparently the sensors have more diodes per inch than a regular camera, which helps to capture details and counteract the limitations of a finite resolution. As you’re covering the sensor with your finger, LED flashes come into action to capture the details in the dark.

AA highlights the lack of security with Optical sensors, as they take a 2D image and are easy to fool with prosthetics, as the main reason they’re being phased out, with the bulky technology a secondary reason as this creates a problem for slim phone designs.

Capacitive Fingerprint Sensors 

Capacitive sensors are more common in today’s smartphones, and use tiny capacitor circuits to collect data about a fingerprint.

From Android Authority:

As capacitors can store electrical charge, connecting them up to conductive plates on the surface of the scanner allows them to be used to track the details of a fingerprint. The charge stored in the capacitor will be changed slightly when a finger’s ridge is placed over the conductive plates, while an air gap will leave the charge at the capacitor relatively unchanged. An op-amp integrator circuit is used to track these changes, which can then be recorded by an analogue-to-digital converter.

The TL;DR of that is that it captures your fingerprint in parts. Your phone may ask you to move your finger around the sensor so that it can record different features. The captured digital data can then be compared and used to detect features of your finger in the future.

It’s not as easy to fool a capacitive scanner as it is an optical sensor, making it more secure, but it’s not immune from software or hardware hacking.

Also from Android Authority:

Creating a large enough array of these capacitors, typically hundreds if not thousands in a single scanner, allows for a highly detailed image of the ridges and valleys of a fingerprint to be created from nothing more than electrical signals. Just like the optical scanner, more capacitors results in a higher resolution scanner, increasing the level of security, up to a certain point.

As capacitive sensors are costly, earlier versions opted to cut the number of capacitors needed by using something called a ‘swipe scanner,’ which would “collect data from a smaller number of capacitor components by quickly refreshing the results as a finger is pulled over the sensor.”

As many consumers complained at the time, this method was very finicky and often required several attempts to scan the result correctly. Fortunately, these days, the simple press and hold design is far more common.

Ultrasonic Fingerprint Sensors

This is the newest form of fingerprint sensor technology to enter the mobile phone space, and incorporates an ultrasonic transmitter and receiver into the design. A pulse is sent out by the transmitter, and while some of the pulse is absorbed by your finger, some of it bounces back to the receiver from the ridges and pores of your finger.

Instead of implementing a microphone to listen for signals, a sensor to “detect the mechanical stress is used to calculate the intensity of the returning ultrasonic pulse at different points on the scanner.”

The aforementioned Android Authority article notes explains that, as ultrasonic sensors capture three dimensional images of your fingerprint, they are more secure than optical or capacitive sensors put together:

Scanning for longer periods of time allows for additional depth data to be captured, resulting in a highly detailed 3D reproduction of the scanned fingerprint. The 3D nature of this capture technique makes it an even more secure alternative to capacitive scanners.

The article also mentions that there is more technology at play than simply the fingerprint Sensor, such as the supporting infrastructure of software and hardware, such as a dedicated IC, various algorithms and cryptography, and also notes how a sensor will capture small parts of information (minutae) at a time:

Typically these algorithms look for where ridges and lines end, or where a ridge splits in two. Collectively, these and other distinctive features are called minutiae. If a scanned fingerprint matches several of these minutiae then it will be considered a match. Rather than comparing the whole fingerprint each time, comparing minutiae reduces the amount of processing power required to identify each fingerprint, helps avoid errors if the scanned fingerprint is smudged, and also allows the finger to placed off-centre or be identified with only a partial print.

The article also details what kind of security is used to keep this information secure, and area which I’m particularly interested in:

ARM processors can keep this information securely on the physical chip using its Trusted Execution Environment (TEE) based TrustZone technology.

[…]

Qualcomm’s take on this is built into its Secure MSM architecture while Apple talks this up as the “Secure Enclave”, but it is all based on the same principle of keeping this secure data on a separate part of the processor that cannot be accessed by apps operating in the regular operating system environment.

This is interesting as I didn’t realise the types of fingerprint sensors and different technologies varied so greatly, and the quotes above and below reassure me a little bit when it comes to the data associated with my fingerprint, how it is stored on my phone, and how it is used by companies and banks:

The FIDO (Fast IDentity Online) Alliance has developed strong cryptographic protocols that use these protected hardware zones to enable password-less authentication handshakes between hardware and services. So you can log into a website or online shop using your fingerprint without your unique data ever having to leave your smartphone. This is accomplished by passing digital keys rather than biometric data to servers.

Reading all of this has reassured me that my fingerprints are in good hands, but I’m still weary of the technology. After all, the Galaxy S7 is the first phone I’ve the had with a fingerprint sensor, and idea of using a fingerprint rather than a swipe to unlock my device, or a password to pay for music from the Play Store, is still so new to me.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s