Could Apple’s new Touch ID Hardware Redefine Mobile Security?

Apple’s new iPhone 5S with Touch ID hardware uses biometrics in the form of a fingerprint to unlock a device – a potential game changer for Multi-factor Authentication (MFA) mobile development.

Multi-factor Authentication (MFA), a type of security in which more than one form of authentication is utilized for verification, has been around for quite some time. The mobile world, however, has yet to fully embrace this security feature.

In September, Apple released the new iPhone 5S with new Touch ID hardware that uses biometrics in the form of a fingerprint to unlock a device. Could this innovation be a game changer for MFA mobile development once a public interface is released?

Almost every mobile app that stores personal information requires some sort of authentication. Credentials (username and password) are used in the vast majority of these applications. This single factor authentication is good enough for most apps, but some, such as healthcare or financial apps, require an additional layer of security. See the Multi-factor Authentication Primer for more details about MFA.

Multi-factor Authentication in Mobile Apps – Current Limitations

The choices available to a mobile developer for the second authentication factor are somewhat limited. In the Something Only the User Has category there are a few hardware options available, such as the RSA token key fob. This device generates a random 6-digit number every 60 seconds. During the authentication process, the user would provide his/her credentials along with the 6-digit number read from the key fob. While this approach will certainly work, many users object to having to carry around another piece of hardware in addition to their mobile device. Additionally, key fobs are small and easy to lose, and replacing them carries an additional cost.

To combat the burden of an additional piece of hardware, some clever app developers use the mobile device itself as the second authentication factor. For example, every iPhone has a unique serial number assigned by Apple, which can be used as the second authentication factor. This approach is alluringly simple but has a very serious downside: if the device is stolen, this factor is rendered useless. If a would-be hacker obtains a device, only the password stands between the hacker and potentially sensitive data. An astute reader might claim that the same security hole exists for the key fob approach. Namely, if the key fob is lost or stolen, then this factor is also useless. However, the chances that both the mobile device and the key fob are stolen are small enough to make this vulnerability less severe. Nonetheless, both approaches are valid ways to accomplish MFA in a mobile app.

Security at your fingertips

In September 2013, Apple introduced the iPhone 5S. Among several hardware and hardware improvements, Touch ID stands out as a potential breakthrough in security. Apple’s Touch ID system uses biometrics (see the Biometrics Primer below for more details), in the form of a fingerprint to unlock the device. The fingerprint would be a Something the User Is type of authentication factor.

While fingerprints have been used to secure desktop computers and laptops for several years, Touch ID represents the first major foray of fingerprint technology into the mobile hardware arena. Apple uses Touch ID as a replacement for passwords, allowing the user to unlock the device by placing the tip of a finger on a sensor integrated into the “home” button of the device. At the time this article is being written, Touch ID is only used by the iOS operating system. There are no public interfaces or APIs to the Touch ID subsystem, forcing mobile app developers to only ponder its potential use in multi-factor authentication. However, it is not too difficult to design such an authentication system (a priore) so that the system can be ready to deploy once Apple releases a public interface for Touch ID. The diagram below illustrates the components needed to implement MFA on a mobile device:

MFA diagram.jpg

Implementing MFA on a mobile device – Green blocks illustrate those that can be changed by the developer. Yellow blocks are accessible by the developer but can’t be changed. Red blocks are NOT accessible by the developer. 

As the diagram above shows, implementing MFA using a fingerprint on a mobile device involves only a few new APIs, namely the methods of the iOS KeyChain. Although the details of authentication with a fingerprint are important, understanding the overall process is more valuable as it will give you a sense of the components your app will have to provide during each step of the process: enrollment, fingerprint capture, analysis and, finally, authentication.

The future is (almost) here

This article has shown that multi-factor authentication using a fingerprint on a mobile device is not only possible; but soon it can be done using existing technology on one of the most popular mobile platforms in use today: the Apple iPhone 5S. This style of multi-factor authentication has a distinct advantage over existing multi-factor authentication schemes used on mobile devices.  Namely, by combining user credentials and fingerprints, this method uses two distinct factors of authentication. This differs from most of the existing MFA schemes that rely on credentials and the mobile device itself, all of which are rendered useless if the device is stolen.

A final word of caution: authentication using fingerprints is not a guarantee for securing the private data in your app. No authentication factor can offer such a guarantee. However, when used in combination with other well-established authentication factors, fingerprint authentication can add a much-needed layer of security around your innermost secrets when it comes to app data.

Review of terms

Multi-factor Authentication Primer

What is multi-factor authentication and why is it important? Any application with even the slightest amount of security has a login feature. Typically, the login asks the user for a username and a password. A system administrator issues the username and default password to the user. The user will then usually be required to change the password on the initial login.

There are many other details about credentials beyond the scope of this article and I encourage you to seek out other articles on credential security for further details. In short, asking for a user’s credentials on a login screen introduces the concept of authentication. The application developer has added a security feature that requires a user to authenticate before using the application. In this example, the user’s credentials are a factor in authentication. More specifically, a username/password constitute a single-factor authentication as the user must provide one piece of information to prove their identity, namely the password.

MFA extends this concept by allowing for several factors of authentication instead of just one.  Some of the industry standards for the types of factors are as follows:

  • Something only the user knows (eg. a password)
  • Something only the user has (eg. a piece of hardware)
  • Something only the user is (eg. a fingerprint)

The level of security is increased with each successive factor. In order to be most effective, different types of factors should be used. Let’s look at two examples to illustrate this point:

  1. Ask a user for his/her password and his/her favorite color
  2. Ask a user for his/her password and asking the user for his/her fingerprint

The first example uses two pieces of information that the user knows (password and favorite color). A would-be hacker might use social engineering to figure out the user’s password and favorite color. The second example uses one piece of information that the user knows (password) and one piece of information that the user is (fingerprint). The hacker could figure out the password using the same social engineering approach; however, obtaining the user’s fingerprint would require a completely different approach.  Thus, the second example is considered more secure than the first.

Biometrics Primer

Biometrics is the science of identifying an individual using biological information. The most common types of biometrics are fingerprint, palm print, retinal scan, voice recognition, blood typing and DNA sequencing. Among these types, fingerprint is the most widely used, as identification by this method has been used (by law enforcement) since the early 20th century.

The classification of fingerprints is a well-established science and computer technology has streamlined the process of enrolling, capturing, analyzing, and identifying fingerprints. The enrollment process is the means whereby a user’s fingerprint is captured and stored for future use. Capturing a fingerprint is akin to taking a picture of your finger. This is done by placing a finger on a flat surface, typically glass, plastic, or composite material. A fingerprint sensor then captures a digital image of the fingerprint using one of two predominant technologies: digital camera or ultrasonic imaging.

Analyzing the fingerprint involves extracting the unique features of the fingerprint captured in the digital image. These unique features are called minutiae and a fingerprint usually contains about 10-30 minutiae. Thus, instead of storing the entire digital image of the fingerprint, all fingerprint system store only minutiae.

Storing only the minutiae serves two purposes:

  1. The size of the minutiae file is extremely small compared to that of a digital image file (a few Kilobytes versus a few Megabytes)
  2. A minutiae file can only be generated from analyzing a digital image captured from a fingerprint scanner

The final step is to identify a fingerprint as belonging to a particular individual. To complete this, a known minutiae file (or set of minutiae files) is taken and compared against the user’s fingerprint. Identification is done using sophisticated computer algorithms, which can very accurately determine if the fingerprint is a match. For the purposes of this article, authentication is accomplished by matching the fingerprint captured during enrollment with the fingerprint captured during login.

One note worth mentioning about fingerprints is that, like all security measures, they have vulnerabilities. Some of these vulnerabilities are comical in nature, while others are purely mathematical. The first of these is the so-called “dead finger” vulnerability. The theory behind this vulnerability is that a would-be hacker could cut off a user’s finger and use it to login.  Aside from the ghastly image this conjures up, there is very little worry about over this scenario. Most modern fingerprint scanners can detect if the finger placed on it is connected to a real, live human being using pulse oximetry or similar capacitive resistance technologies.

Almost every mobile app that stores personal information requires some sort of authentication. Credentials (username and password) are used in the vast majority of these applications. This single factor authentication is good enough for most apps; but some apps such as healthcare or financial apps require an additional layer of security.

Another popular vulnerability is that a would-be hacker could make a digital copy of a user’s fingerprint (from a coffee cup, for example) and somehow place this copy on his/her finger (thus bypassing the dead finger problem). The fingerprint scanner would detect a live finger and read the copy of the user’s fingerprint. In fact, this technique has been validated by the popular science show Myth Busters. In practice, replicating a good enough copy of a user’s fingering requires technology that is beyond the reach of all but the most highly financed hackers. But this does highlight the final vulnerability of using fingerprints for authentication. If a user loses a password, he/she can generate a new one. In fact, most systems REQUIRE that a user change his/her password on a frequent basis. You can change your password everyday without ever running out of possible combinations of letters, numbers, and punctuation symbols. With fingerprints, the number of times a user can change “passwords” is 9, due to the physical limitation that most people have only 10 fingers. If your fingerprint becomes compromised, you have only 9 other replacements!