Problems with Apple Touch ID illustrate larger challenges of biometrics
In previous posts on Access Granted, I’ve looked at utilizing biometrics – the innate, distinctive characteristics of a person – to provide authentication when logging into accounts or systems. With biometrics, the authenticating factor can be a retinal scan, fingerprint scan and even – in the case of Barclays Bank – the blood flow in a user’s finger.
This seems like bulletproof authentication. I mean, how do you fake a retinal or fingerprint scan, right? Unfortunately, as I’ve stated previously, that’s not entirely the case.
Biometric authentication alone can still fall victim to many of the issues that plague other forms of authentication. Man in the middle attacks and other forms of malware can still be used to steal credentials – even if they’re the image of a fingerprint – or piggyback into sessions following the successful authentication since the process is still in-band.
But the other major issue with biometrics was on full display earlier this week when Apple’s Touch ID ran into some unexpected problems.
According to multiple sources, including a recent article from Tech Times, the most recent update to the iOS operating system – which was intended to fix multiple bugs and issues on the company’s iPad and iPhone devices – managed to create an issue with the Touch ID fingerprint reader. Multiple users have reported that the reader itself is no longer recognizing or registering fingerprints.
This isn’t really a huge issue on iPad and iPhone devices, since a user ID can be entered to log a user into their device. It’s really more of an inconvenience than anything else. However, it does perfectly illustrate an issue with biometrics – they rely on sensitive scanners and ultimately don’t allow for flexibility for the user.
If a user is looking to access an account, profile or system that only relies on biometrics for authentication, the reliability and accuracy of the device that reads the user’s iris, fingerprint, blood flow or other biometric factor becomes an important issue. When these devices are unavailable or break, the user finds himself without access and in a state of frustration. If this was a user’s virtual machine or desktop, productivity has just ground to a halt and nothing is getting done.
A better alternative would be to implement an authentication solution that utilizes multiple factors for authentication, but allows the user options into how they want to authenticate their identity. In this situation, a user can still get access, even if a biometric scanner or device goes offline.
But there’s another reason why biometrics may not be the answer for many enterprises – flexibility and changing passwords. As we just discussed, biometrics aren’t bulletproof. They can be compromised and accounts can still get hacked. In this instance, it’s normally essential that the user’s login credentials get changed. That’s a simple fix for many authentication factors, but not with biometrics.
Assuming the authentication solution checks a user’s identity via their fingerprints – quite possibly the least limiting of the options. In this instance, the user can only really change their password nine times before they’re removing their shoes to login. This creates a significant limitation and challenge for the IT staff when accounts are compromised and credentials need to change.
The fingerprint scanners not working on iPads and iPhones isn’t the end of the world. It’s more annoying than anything, and will ultimately just forced users to tap their screens four times to access their devices. But look deeper and you see a problem that could very possibly impact more than just tablets and smartphones. The reliance on a high-tech scanner for authentication creates a reliability issue that could lead to people getting locked out of accounts and frustrated with their authentication solutions. To truly combat this, users need more than just ease-of-use, they need authentication options that are both simple and strong.