Name:Vijayanth Tummala Class:CSE 5272 Computer and Information SecurityAssignment:Term Paper Benefits& Flaws of Using Biometric Authentication in Mobile DevicesAuthenticationis one part within the CIA (Confidentiality, Integrity and Authentication) triadwhich is important for the security of the data which is being stored ortransmitted. Authentication is meant to make sure that authorized user getsaccess to the data and unauthorized users are denied access to the resources.
There by keeping the resources and data secure from unauthorized access. Withthe advent of latest technologies, different types of authentications like “Somethingyou have”, “Something you know” and “Something you are” are commonly beingused.”What you are” type ofauthentication makes use of biometric feature of an individual like fingerprintverification or Iris recognition.
After the launch of touch ID in Iphone 5s theuse of fingerprint authentication on mobile devices has increased 1.IEDs onthe Road to Fingerprint Authentication: Biometrics have vulnerabilities thatPINs and passwords don’t. Several leading smartphone companies have followedsuite and started using fingerprint as an authentication mechanism. In this paper we will explain authentication,different type of authentication and then working of fingerprint authenticationsystem in general and in mobile devices. Using fingerprint authentication hasbenefits as well as flaws which will be discussed in this paper.Introduction:Authentication is a process ofproving an asserted Identity 4. Charles P.
Pfleeger, Shari Lawrence Pfleeger,Jonathan Marguiles. Security in Computing Fifth Edition, 2015 . Example,password is used to authenticate the user and give the legitimate user accessto a website or a system, at the same time it is used to deny access to theunauthorized user. Thus authentication information should be kept privatebecause if authentication information is shared then the authentication processwill not work as desired and might fail.Authentication affects theconfidentiality and integrity in the following way, confidentiality means thatonly authorized users should be able to access the data and integrity meansthat only authorized user should be able to access and modify the data 4.Authentication mechanisms provide way to enforce these principles ofconfidentiality and integrity. All the users that need to access the system areverified with the help of different mechanisms like passwords or cards orfingerprint. If this authentication mechanism fails then unauthorized user willget access to the system and confidentiality and integrity of the systemstructure and data within the system will be lost.
Different types of authenticationthat are used for the purpose of security of the system are “Something youhave”, “Something you know” and “Something you are”. We will go into detail ofeach of these authentication types in next section.User Authentication Types:The function of the three(“Something you have”, “Something you know” and “Something you are”)authentication type is the same which is to authenticate and help user getaccess to the system and also protecting the system from unauthorized access.
The manner in which they work is different from one another. “Something you know”authentication uses information that the user knows and this information isused as authentication information. Passwords, PIN, passphrases, mother’s nameare examples of “Something you know” authentication 4. User needs to enterthe information when requested for authentication and upon entering the rightinformation he can get access to the system. Passwords are the most commonlyused among the above mentioned examples.
“Something you have”authentication uses things that are given to the user in order to get himauthenticated into the system by the company. Examples for this are IdentityBadges at work or gym. At companies user needs to swipe the Identity card togain access to the company resources.”Something you are”authentication uses the physical features of a person for the purpose ofauthentication. These physical features that are used for authenticationinclude fingerprint, voice recognition, Iris Scanning, facial recognition 4.
During international travel at airports fingerprint scanners are used toauthenticate the user in the system and make sure that the person is notblacklisted. This type of authentication is also known as BiometricAuthentication.Some companies make use of morethan one of these authentication types to increase the security of the systemthis is known as multifactor authentication 4. An example of multifactorauthentication would be that while withdrawing money from the ATM user needs toput a Debit card (“Something you have”) and then the ATM PIN (“Something youknow”) and once both the information is verified then only money is dispensedelse money will not be dispensed. Another type of authenticationwhich is used by companies to increase security is multimodal authentication.In this type of authentication multiple levels (from any one of the threeauthentication types) of authentication is done from a particular type ofauthentication this is in contrast to the multifactor authentication which usesdifferent type of authentication (like “Something you have” and “Something youknow”). An example of multimodal authentication could be the use of fingerprintauthentication and iris authentication before getting access to the company premises. Fingerprint Authentication System:Fingerprint authentication is atype of Biometric authentication (“Something you are”), In Biometricauthentication a sample is taken and then this sample is matched against thepreviously stored measurements in order to reliably ascertain theauthentication of the individual 1.
Biometric authentication makes use ofunique features to ascertain the identity.Fingerprint authentication systemworks using the same concept, it makes use of unique features in a fingerprintto distinguish between fingerprints. A persons fingerprint consist of a linewhich passes in a different directions in pattern these lines are called Ridges2. Lawrence O’Gorman.
Fingerprint VerificationOnline. Biometrics, 43-64,1996. and the spaces between these ridges are known as Valleys 2. Ridges areused as unique identifier in fingerprint authentication system fordistinguishing between different fingerprints.The two approaches that are usedto match fingerprints are minutia matching and global pattern matching alsoknown as pattern matching 2. Ridge contains two important features whichare ridge end and ridge bifurcation 2, Ridge end and ridge bifurcationtogether are called as minutia. Minutia matching makes use of them for thepurpose of identifying and distinguishing them from other matches.
For theextraction of minutia different types of algorithms and techniques are used.For example 5.Fingerprint Verification Based on Multistage Minutiae MatchingHonglei Wei, Mingen Guo, and Zongying Ou makes use of multistage minutiamatching in order to get better accuracy. Global pattern matching alsomakes use of ridges for comparing but it uses the flow of ridges. This matchingtechnique makes use of pattern formed by these ridges for comparing. Fingerprintpattern are classified into 3 major patterns which are arch, whorl and loop.Depending upon different classification schemes fingerprint pattern can beclassified into ten or more classification 2. Global pattern matching is doneat a more high level compared to the minutia matching which is done atmicroscopic level 2.
Working of fingerprintauthentication consists of two phases one is the enrolment phase and second isthe Recognition phase 3. Tiago Duarte, João Paulo Pimentão, Pedro Sousa,Sérgio Onofre. Biometric access control systems: A review on technologies toimprove their efficiency. IEEE International Power Electronics and MotionControl Conference, 795-800, 2016. In enrollment phase a sample ofthe fingerprint is taken and then stored in the database, sometimes multiplesamples of the fingerprint are taken for the purpose of accuracy. Fingerprintis taken with the help of a sensor. Encoding of the fingerprints is also donesometime for the purpose of security before storing them in database 3. In Recognition phase, a new sampleis taken and then the feature of the new sample is compared with the featuresof the old sample to make a decision on whether the match is found or not.
Recognition process works differently depending upon the enrollment process 3.If a single sample of the fingerprint is taken during enrollment and stored inthe database then in recognition process one to one matching is done duringauthentication and if multiple samples of the fingerprint are taken duringenrollment and stored in the database then in recognition process one to manymatching is done by comparing with the multiple samples that are stored in thedatabase. This is done for the purpose of authentication. Fingerprint Authentication inMobile Devices:After the launch of Iphone 5s,the use of fingerprint scanner as an authenticator on mobile devices hasincreased 1. Many smartphone companies have followed suite and made use offingerprint authentication in their mobile devise. In 2017 almost all the phonesof different companies like Samsung, Sony, Apple and Motorola have fingerprintauthentication.
Samsung phones like Note 8 and S8 and S8 edge have fingerprintauthentication while Sony has introduced fingerprint authentication in Z5 1.Comparatively cheap phones like Motorola G5 which cost $180 have fingerprintauthentication in them.Most of the smartphones that featurefingerprint authentication make use of the ARM TrustZone Trusted executionenvironment (TEE) 1. This Trusted execution environment is used to isolate”secure world” code separate from the untrusted user code. Informationregarding the fingerprint is stored in this TrustZone side of the operatingsystem so that applications that are stored in the Non-TrustZone 1 side ofthe operating system in mobile device do not get access to the important data,like fingerprint details in this case.Most of the smartphones capturethe fingerprint data with the help of the fingerprint reader and then storethem in the TrustZone side of the operating system to keep the fingerprint datasecure.
But the use of TrustZone still has flaws which will be discussed later inthe paper also the manner in which less costly phones which have fingerprintreader feature store data is also a point of concern. Benefits of using FingerprintAuthentication in Mobile Devices:Convenience:Fingerprint authentication isused as a replacement for the existing password and PIN authentication 1. Forthe creation of passwords it is required that these passwords follow a set ofrules which includes their length, inclusion of special characters, inclusionof upper and lower case characters. Also users log on to multiple websites andhave multiple accounts to access.
From the point of view of security it is agood idea to have multiple passwords and PINs. Reason being that even if onepassword has been disclosed to unauthorized user then also the rest of theaccounts are safe. However in reality most of theusers end up creating a password which is easily remembered and is reused bythem, as it is very difficult to remember different passwords for differentaccounts without making use of coping mechanisms like writing password on apaper etc. The same concept goes for the use of PIN’s, people have a number ofaccounts and for the purpose of security it is a good idea to use different PINfor each account, they also need to follow a set of rules like birthday relatedinformation like date, month, year should not be used.
Since majority of peoplehave multiple accounts people end-up making use of coping mechanisms toremember them.Fingerprint provide a way topeople (user) to avoid using passwords and PIN 1 and move away from theinconvenience caused by forgetting these passwords and PIN’s or always typingthem. Instead user can just place his finger on the fingerprint reader and thenhe will be given access if there is a match of the fingerprints. From theuser’s perspective this provides lot of convenience especially in case ofsmartphones as user on an average unlocks the smartphone almost 48 times a day 1.Use of fingerprint authenticationhelps access the third party applications.
Example, if a smartphone user has aBank of America Application in his mobile device he can access this account byusing the fingerprint authentication instead of typing in the password. Userhas many third party applications on his mobile, so instead of typing passwordeach time he wants to access an application fingerprint authentication providesthe required security along with the ease of use and convenience. Security:Fingerprint authentication ingeneral provides users with simple and convenient option instead of usingpasswords and PINs. People in general consider fingerprint authentication to bemore secure than the traditional security authentication in smart phones 1. Few of the reasons for this are asfollows, fingerprint of each individual is unique and user feels secure that noother person can access the device due to this. Users have the tendency toforget and loose passwords and PIN’s which is in contrast to fingerprint whichhe always carries with him.
Another important factor is theuse of fingerprint authentication in criminal proceedings as it brings thesense of security to the user 1.The probability of small sectionswithin two fingerprints to be alike is 1 to 50,000 while probability of guessingfour-digit PIN is 1 to 10,000 6. https://support.apple.com/en-us/HT204587.Thus making fingerprint authentication more secure than PIN basedauthentication.Increasein Customer satisfaction: Since third party applicationsare installed in mobile devices by the user and with the advent of fingerprintauthentication these fingerprint authentication can be used to access thecontents of these third party applications. Users do not need to call thecustomer care to reset forgotten passwords also while speaking to the customercare center authentication can be done through the phone which shortens theverification time 7.
https://www.finextra.com/blogposting/13724/what-are-the-advantages-of-biometric-authentication-in-replacing-passwords.Securityof data after Mobile device theft:There is always a possibility ofmobile devices being lost or stolen. If the mobile device uses password or PINbased authentication then there is always a possibility that thief will bypassthe authentication. For example in case of Android device thief only needs tocall the device and then while in duration of the call press back button 8.
Donny Jacob Ohana, Liza Phillips, Lei Chen. Preventing Cell Phone Intrusion andTheft using Biometrics Fingerprint Biometric Security utilizing Dongle andSolid State Relay Technology and then the thief has bypassed theauthentication system and data is available to the unauthorized user in thiscase thief. If the mobile device can only beaccessed by fingerprint authentication, even after the device is lost orstolen, the person who found the device or stole the device will not be able toget access to the data within the device.
Authenticationis quick and light weight: Flaws of using FingerprintAuthentication in Mobile Devices:Unchangeable and Irrevocable:One of the biggest benefits offingerprint is that it is unchangeable so user cannot forget them compared tothe passwords and PIN. But this benefit becomes one of the biggest drawbacks iffor some reason the fingerprint is compromised 1. This compromisedfingerprint can be reused as many times as needed and there is no way ofchanging it. There is no possible solution that is offered by the verificationsystem in case the fingerprints are compromised.In today’s time it is possible tohack the system to get fingerprint data, for example, the data theft thathappened in the Office of Personnel Management (OPM) where 5.6 million peoplesfingerprint data of federal government employees were stolen 1. This stolendata can now be used by the attacker to gain access to the systems that requirefingerprint authentication which includes smartphones.
Fingerprint Spoofing:Fingerprint spoofing is a conceptin which a replica of the fingerprint is made using different materials.Fingerprint spoofing is possible this was demonstrated by a group of Crackerswhich hacked the fingerprint authentication system in Iphone 5s as soon as itwas launched 1. This was done by taking a high resolution photograph of thelatent fingerprint that was on the glass of the touch screen and then a moldwas made in such a way that it could be used as an artificial fingerprint tounlock the smartphone and its content 1. It is also possible to make anartificial fingerprint without even having physical contact with the person,Fingerprints of defense minister of Germany was spoofed using a number of highresolution photographs including one from the press released 1. Same Germandefense minister’s fingerprint was spoofed by using a fingerprint from a glassof water and 4000 copies were made which are capable of being used forfingerprint authentication 1.3D printers can also be used tospoof a fingerprint of an individual 8. https://www.synaptics.
com/sites/default/files/sentrypoint-anti-spoofing-wp.pdf.The latest advances in use of 3D printers have made this possible and easy tobe done.There has also been a case inwhich police have made use of 3D printer for fingerprint spoofing of a deceasedvictim to gain access to the smartphone of the victim to gain insight 8. Thusfurther supporting the theory that fingerprint spoofing can be done easily. We leave Fingerprint everywhere:Important factor of fingerprintis that they cannot be switched off and we leave fingerprints everywhere we goor anything we use. This is similar to a person leaving the username andpassword everywhere we go or everything we touch 1, this information can beused by people to access the system.
If passwords are leaked or hackedthey can be changed or reset but we cannot control where we leave fingerprints,this causes a major cause of concern for the concept of fingerprint authentication.Since fingerprint spoofing can be done based on the fingerprint we left behindat a place or on an object that is used by us. Fingerprintsensor:Fingerprint sensors make use ofthe concept that they make use of measurements of the fingerprint data and thenmatching is done of this measurement with the measurements that are previouslytaken and stored in the database. By knowing the input format expected by thekey storage or computation module 1, it is possible to bypass theauthentication mechanism by presenting false fingerprint reading “on the wire”1. In this scenario the need of a fake physical fingerprint is also bypassed.Since this fingerprint sensor isnot able to distinguish between human skin and other similar materials,material similar to human skin are used to create fake fingerprints and havebeen accepted by the authentication system 1. Also the techniques that arefollowed to create a fake fingerprint by the cracker can also be sued by commonman for the same purpose.Fingerprint AuthenticationImplementation in mobile:As mentioned above most of thesmartphones in the market make use of ARM TrustZone to store fingerprint data.
But these trusted execution environment have been poorly implemented in themobile devices. For example, in smartphone HTCOne Max the fingerprint data of the enrolled user was stored in aworld-readable file 1. The data fromthe world-readable file could be read by any application which is running onthe smartphone device. Even in very good implementationof the fingerprint authentication system, fingerprint reader used in the systemis exposed to the non-TrustZone of the operating system thus making theimplementation insecure 1.
This can be done in the following way by makinguse of the privileges and escalating them to the right extent. Thus again thedata is again made available to the applications that are unauthorized to getaccess to the data related to fingerprints.Also there are many moredocumented exploits of the TrustZone technology 1 which is being implementedin the current mobile devices. Voluntary giving away offingerprint details:Sometimes users give away theirfingerprints voluntarily in order to immigrate, travel and to pursue studies inanother country. Sometimes it is also mandatory to provide fingerprints atvarious airports to gain entry to the specific country. Government in fewcountries also requires people to give their biometric information for thepurpose of receiving governmental benefit or to implement in the way theygovern.
For example if you want to study,immigrate and work in a different country like USA. The Visa process requiresan individual to give biometric details like fingerprint. If an individual doesnot want to go give those details then he has to choose the option of not goingto the company.
Another example of voluntarygiving away details of fingerprint would be that in India, a new federal ID called”AADHAR CARD” was being issued to all the people of India but in order to getthis new federal ID it was necessary to provide all the details of the existingfederal ID. Also a new requirement was that the biometric details of theindividuals were also needed to be on file which included fingerprint details.Failing to comply with this requirement would result in that individual notreceiving the new Federal ID which was needed for many purposes like filingtaxes etc. I feel that the major issue withthis is that since fingerprint details are not changeable giving them away fordifferent reasons has a significant risk associated with it.
Governmentaldatabases are always a target of different groups since they contain lot ofinformation. If the database containing fingerprint details is hacked then thecracker or the group that hacked can access any account related to that person whichinclude bank accounts or credit score account. Also in case of criminalprocedure an individual needs to give away the fingerprint details irrespectiveof a person being convicted or not 1.
Once the data is given it is always inthe database and there is no way of assuring that the data is removedWho stores and access to theFingerprint Data:Another fundamental flaw inbiometric authentication in general is that who will store and process the data,also who has the right to receive and use the data 1. Since fingerprint datais very sensitive it is very important for the fingerprint reader to betrustworthy 1. The device which is storing and checking the fingerprint datashould not transmit the data to any untrusted or unauthorized source. If thisfingerprint data is released to the marketing people then this will serve as aunique identifier of the user with respect to the product and services availedby them 1.
One Scenario would be that in caseof a smartphone device whether or not the OS developer should have the right toaccess the data. If a company decides that the developer should have certainlevel of access to the data so that improvements to the authentication system canbe made. Then the major question arises is whether the developer is trustworthyor not. Suggestions to improve the currentworking of Fingerprint Authentication in Mobile Devices: Transparency:Currently the implementation ofthe .