CSE 5272 Computer and Information Security
& Flaws of Using Biometric Authentication in Mobile Devices
is one part within the CIA (Confidentiality, Integrity and Authentication) triad
which is important for the security of the data which is being stored or
transmitted. Authentication is meant to make sure that authorized user gets
access to the data and unauthorized users are denied access to the resources.
There by keeping the resources and data secure from unauthorized access. With
the advent of latest technologies, different types of authentications like “Something
you have”, “Something you know” and “Something you are” are commonly being
“What you are” type of
authentication makes use of biometric feature of an individual like fingerprint
verification or Iris recognition. After the launch of touch ID in Iphone 5s the
use of fingerprint authentication on mobile devices has increased 1.IEDs on
the Road to Fingerprint Authentication: Biometrics have vulnerabilities that
PINs and passwords don’t. Several leading smartphone companies have followed
suite and started using fingerprint as an authentication mechanism.
In this paper we will explain authentication,
different type of authentication and then working of fingerprint authentication
system in general and in mobile devices. Using fingerprint authentication has
benefits as well as flaws which will be discussed in this paper.
Authentication is a process of
proving an asserted Identity 4. Charles P.Pfleeger, Shari Lawrence Pfleeger,
Jonathan Marguiles. Security in Computing Fifth Edition, 2015 . Example,
password is used to authenticate the user and give the legitimate user access
to a website or a system, at the same time it is used to deny access to the
unauthorized user. Thus authentication information should be kept private
because if authentication information is shared then the authentication process
will not work as desired and might fail.
Authentication affects the
confidentiality and integrity in the following way, confidentiality means that
only authorized users should be able to access the data and integrity means
that only authorized user should be able to access and modify the data 4.
Authentication mechanisms provide way to enforce these principles of
confidentiality and integrity. All the users that need to access the system are
verified with the help of different mechanisms like passwords or cards or
fingerprint. If this authentication mechanism fails then unauthorized user will
get access to the system and confidentiality and integrity of the system
structure and data within the system will be lost.
Different types of authentication
that are used for the purpose of security of the system are “Something you
have”, “Something you know” and “Something you are”. We will go into detail of
each of these authentication types in next section.
User Authentication Types:
The function of the three
(“Something you have”, “Something you know” and “Something you are”)
authentication type is the same which is to authenticate and help user get
access to the system and also protecting the system from unauthorized access.
The manner in which they work is different from one another.
“Something you know”
authentication uses information that the user knows and this information is
used as authentication information. Passwords, PIN, passphrases, mother’s name
are examples of “Something you know” authentication 4. User needs to enter
the information when requested for authentication and upon entering the right
information he can get access to the system. Passwords are the most commonly
used among the above mentioned examples.
“Something you have”
authentication uses things that are given to the user in order to get him
authenticated into the system by the company. Examples for this are Identity
Badges at work or gym. At companies user needs to swipe the Identity card to
gain access to the company resources.
“Something you are”
authentication uses the physical features of a person for the purpose of
authentication. These physical features that are used for authentication
include fingerprint, voice recognition, Iris Scanning, facial recognition 4.
During international travel at airports fingerprint scanners are used to
authenticate the user in the system and make sure that the person is not
blacklisted. This type of authentication is also known as Biometric
Some companies make use of more
than one of these authentication types to increase the security of the system
this is known as multifactor authentication 4. An example of multifactor
authentication would be that while withdrawing money from the ATM user needs to
put a Debit card (“Something you have”) and then the ATM PIN (“Something you
know”) and once both the information is verified then only money is dispensed
else money will not be dispensed.
Another type of authentication
which is used by companies to increase security is multimodal authentication.
In this type of authentication multiple levels (from any one of the three
authentication types) of authentication is done from a particular type of
authentication this is in contrast to the multifactor authentication which uses
different type of authentication (like “Something you have” and “Something you
know”). An example of multimodal authentication could be the use of fingerprint
authentication and iris authentication before getting access to the company premises.
Fingerprint Authentication System:
Fingerprint authentication is a
type of Biometric authentication (“Something you are”), In Biometric
authentication a sample is taken and then this sample is matched against the
previously stored measurements in order to reliably ascertain the
authentication of the individual 1. Biometric authentication makes use of
unique features to ascertain the identity.
Fingerprint authentication system
works using the same concept, it makes use of unique features in a fingerprint
to distinguish between fingerprints. A persons fingerprint consist of a line
which passes in a different directions in pattern these lines are called Ridges
2. Lawrence O’Gorman. Fingerprint VerificationOnline. Biometrics, 43-64,
1996. and the spaces between these ridges are known as Valleys 2. Ridges are
used as unique identifier in fingerprint authentication system for
distinguishing between different fingerprints.
The two approaches that are used
to match fingerprints are minutia matching and global pattern matching also
known as pattern matching 2.
Ridge contains two important features which
are ridge end and ridge bifurcation 2, Ridge end and ridge bifurcation
together are called as minutia. Minutia matching makes use of them for the
purpose of identifying and distinguishing them from other matches. For the
extraction of minutia different types of algorithms and techniques are used.
For example 5.Fingerprint Verification Based on Multistage Minutiae Matching
Honglei Wei, Mingen Guo, and Zongying Ou makes use of multistage minutia
matching in order to get better accuracy.
Global pattern matching also
makes use of ridges for comparing but it uses the flow of ridges. This matching
technique makes use of pattern formed by these ridges for comparing. Fingerprint
pattern are classified into 3 major patterns which are arch, whorl and loop.
Depending upon different classification schemes fingerprint pattern can be
classified into ten or more classification 2. Global pattern matching is done
at a more high level compared to the minutia matching which is done at
microscopic level 2.
Working of fingerprint
authentication consists of two phases one is the enrolment phase and second is
the Recognition phase 3. Tiago Duarte, João Paulo Pimentão, Pedro Sousa,
Sérgio Onofre. Biometric access control systems: A review on technologies to
improve their efficiency. IEEE International Power Electronics and Motion
Control Conference, 795-800, 2016.
In enrollment phase a sample of
the fingerprint is taken and then stored in the database, sometimes multiple
samples of the fingerprint are taken for the purpose of accuracy. Fingerprint
is taken with the help of a sensor. Encoding of the fingerprints is also done
sometime for the purpose of security before storing them in database 3.
In Recognition phase, a new sample
is taken and then the feature of the new sample is compared with the features
of the old sample to make a decision on whether the match is found or not.
Recognition process works differently depending upon the enrollment process 3.
If a single sample of the fingerprint is taken during enrollment and stored in
the database then in recognition process one to one matching is done during
authentication and if multiple samples of the fingerprint are taken during
enrollment and stored in the database then in recognition process one to many
matching is done by comparing with the multiple samples that are stored in the
database. This is done for the purpose of authentication.
Fingerprint Authentication in
After the launch of Iphone 5s,
the use of fingerprint scanner as an authenticator on mobile devices has
increased 1. Many smartphone companies have followed suite and made use of
fingerprint authentication in their mobile devise. In 2017 almost all the phones
of different companies like Samsung, Sony, Apple and Motorola have fingerprint
authentication. Samsung phones like Note 8 and S8 and S8 edge have fingerprint
authentication while Sony has introduced fingerprint authentication in Z5 1.
Comparatively cheap phones like Motorola G5 which cost $180 have fingerprint
authentication in them.
Most of the smartphones that feature
fingerprint authentication make use of the ARM TrustZone Trusted execution
environment (TEE) 1. This Trusted execution environment is used to isolate
“secure world” code separate from the untrusted user code. Information
regarding the fingerprint is stored in this TrustZone side of the operating
system so that applications that are stored in the Non-TrustZone 1 side of
the operating system in mobile device do not get access to the important data,
like fingerprint details in this case.
Most of the smartphones capture
the fingerprint data with the help of the fingerprint reader and then store
them in the TrustZone side of the operating system to keep the fingerprint data
secure. But the use of TrustZone still has flaws which will be discussed later in
the paper also the manner in which less costly phones which have fingerprint
reader feature store data is also a point of concern.
Benefits of using Fingerprint
Authentication in Mobile Devices:
Fingerprint authentication is
used as a replacement for the existing password and PIN authentication 1. For
the creation of passwords it is required that these passwords follow a set of
rules which includes their length, inclusion of special characters, inclusion
of upper and lower case characters. Also users log on to multiple websites and
have multiple accounts to access. From the point of view of security it is a
good idea to have multiple passwords and PINs. Reason being that even if one
password has been disclosed to unauthorized user then also the rest of the
accounts are safe.
However in reality most of the
users end up creating a password which is easily remembered and is reused by
them, as it is very difficult to remember different passwords for different
accounts without making use of coping mechanisms like writing password on a
paper etc. The same concept goes for the use of PIN’s, people have a number of
accounts and for the purpose of security it is a good idea to use different PIN
for each account, they also need to follow a set of rules like birthday related
information like date, month, year should not be used. Since majority of people
have multiple accounts people end-up making use of coping mechanisms to
Fingerprint provide a way to
people (user) to avoid using passwords and PIN 1 and move away from the
inconvenience caused by forgetting these passwords and PIN’s or always typing
them. Instead user can just place his finger on the fingerprint reader and then
he will be given access if there is a match of the fingerprints. From the
user’s perspective this provides lot of convenience especially in case of
smartphones as user on an average unlocks the smartphone almost 48 times a day 1.
Use of fingerprint authentication
helps access the third party applications. Example, if a smartphone user has a
Bank of America Application in his mobile device he can access this account by
using the fingerprint authentication instead of typing in the password. User
has many third party applications on his mobile, so instead of typing password
each time he wants to access an application fingerprint authentication provides
the required security along with the ease of use and convenience.
Fingerprint authentication in
general provides users with simple and convenient option instead of using
passwords and PINs. People in general consider fingerprint authentication to be
more secure than the traditional security authentication in smart phones 1.
Few of the reasons for this are as
follows, fingerprint of each individual is unique and user feels secure that no
other person can access the device due to this. Users have the tendency to
forget and loose passwords and PIN’s which is in contrast to fingerprint which
he always carries with him.
Another important factor is the
use of fingerprint authentication in criminal proceedings as it brings the
sense of security to the user 1.
The probability of small sections
within two fingerprints to be alike is 1 to 50,000 while probability of guessing
four-digit PIN is 1 to 10,000 6. https://support.apple.com/en-us/HT204587.
Thus making fingerprint authentication more secure than PIN based
in Customer satisfaction:
Since third party applications
are installed in mobile devices by the user and with the advent of fingerprint
authentication these fingerprint authentication can be used to access the
contents of these third party applications. Users do not need to call the
customer care to reset forgotten passwords also while speaking to the customer
care center authentication can be done through the phone which shortens the
verification time 7.https://www.finextra.com/blogposting/13724/what-are-the-advantages-of-biometric-authentication-in-replacing-passwords.
of data after Mobile device theft:
There is always a possibility of
mobile devices being lost or stolen. If the mobile device uses password or PIN
based authentication then there is always a possibility that thief will bypass
the authentication. For example in case of Android device thief only needs to
call the device and then while in duration of the call press back button 8.
Donny Jacob Ohana, Liza Phillips, Lei Chen. Preventing Cell Phone Intrusion and
Theft using Biometrics Fingerprint Biometric Security utilizing Dongle and
Solid State Relay Technology and then the thief has bypassed the
authentication system and data is available to the unauthorized user in this
If the mobile device can only be
accessed by fingerprint authentication, even after the device is lost or
stolen, the person who found the device or stole the device will not be able to
get access to the data within the device.
is quick and light weight:
Flaws of using Fingerprint
Authentication in Mobile Devices:
Unchangeable and Irrevocable:
One of the biggest benefits of
fingerprint is that it is unchangeable so user cannot forget them compared to
the passwords and PIN. But this benefit becomes one of the biggest drawbacks if
for some reason the fingerprint is compromised 1. This compromised
fingerprint can be reused as many times as needed and there is no way of
changing it. There is no possible solution that is offered by the verification
system in case the fingerprints are compromised.
In today’s time it is possible to
hack the system to get fingerprint data, for example, the data theft that
happened in the Office of Personnel Management (OPM) where 5.6 million peoples
fingerprint data of federal government employees were stolen 1. This stolen
data can now be used by the attacker to gain access to the systems that require
fingerprint authentication which includes smartphones.
Fingerprint spoofing is a concept
in which a replica of the fingerprint is made using different materials.
Fingerprint spoofing is possible this was demonstrated by a group of Crackers
which hacked the fingerprint authentication system in Iphone 5s as soon as it
was launched 1. This was done by taking a high resolution photograph of the
latent fingerprint that was on the glass of the touch screen and then a mold
was made in such a way that it could be used as an artificial fingerprint to
unlock the smartphone and its content 1.
It is also possible to make an
artificial fingerprint without even having physical contact with the person,
Fingerprints of defense minister of Germany was spoofed using a number of high
resolution photographs including one from the press released 1. Same German
defense minister’s fingerprint was spoofed by using a fingerprint from a glass
of water and 4000 copies were made which are capable of being used for
fingerprint authentication 1.
3D printers can also be used to
spoof a fingerprint of an individual 8. https://www.synaptics.com/sites/default/files/sentrypoint-anti-spoofing-wp.pdf.
The latest advances in use of 3D printers have made this possible and easy to
There has also been a case in
which police have made use of 3D printer for fingerprint spoofing of a deceased
victim to gain access to the smartphone of the victim to gain insight 8. Thus
further supporting the theory that fingerprint spoofing can be done easily.
We leave Fingerprint everywhere:
Important factor of fingerprint
is that they cannot be switched off and we leave fingerprints everywhere we go
or anything we use. This is similar to a person leaving the username and
password everywhere we go or everything we touch 1, this information can be
used by people to access the system.
If passwords are leaked or hacked
they can be changed or reset but we cannot control where we leave fingerprints,
this causes a major cause of concern for the concept of fingerprint authentication.
Since fingerprint spoofing can be done based on the fingerprint we left behind
at a place or on an object that is used by us.
Fingerprint sensors make use of
the concept that they make use of measurements of the fingerprint data and then
matching is done of this measurement with the measurements that are previously
taken and stored in the database. By knowing the input format expected by the
key storage or computation module 1, it is possible to bypass the
authentication mechanism by presenting false fingerprint reading “on the wire”
1. In this scenario the need of a fake physical fingerprint is also bypassed.
Since this fingerprint sensor is
not able to distinguish between human skin and other similar materials,
material similar to human skin are used to create fake fingerprints and have
been accepted by the authentication system 1. Also the techniques that are
followed to create a fake fingerprint by the cracker can also be sued by common
man for the same purpose.
Implementation in mobile:
As mentioned above most of the
smartphones in the market make use of ARM TrustZone to store fingerprint data.
But these trusted execution environment have been poorly implemented in the
For example, in smartphone HTC
One Max the fingerprint data of the enrolled user was stored in a
world-readable file 1. The data from
the world-readable file could be read by any application which is running on
the smartphone device.
Even in very good implementation
of the fingerprint authentication system, fingerprint reader used in the system
is exposed to the non-TrustZone of the operating system thus making the
implementation insecure 1. This can be done in the following way by making
use of the privileges and escalating them to the right extent. Thus again the
data is again made available to the applications that are unauthorized to get
access to the data related to fingerprints.
Also there are many more
documented exploits of the TrustZone technology 1 which is being implemented
in the current mobile devices.
Voluntary giving away of
Sometimes users give away their
fingerprints voluntarily in order to immigrate, travel and to pursue studies in
another country. Sometimes it is also mandatory to provide fingerprints at
various airports to gain entry to the specific country. Government in few
countries also requires people to give their biometric information for the
purpose of receiving governmental benefit or to implement in the way they
For example if you want to study,
immigrate and work in a different country like USA. The Visa process requires
an individual to give biometric details like fingerprint. If an individual does
not want to go give those details then he has to choose the option of not going
to the company.
Another example of voluntary
giving away details of fingerprint would be that in India, a new federal ID called
“AADHAR CARD” was being issued to all the people of India but in order to get
this new federal ID it was necessary to provide all the details of the existing
federal ID. Also a new requirement was that the biometric details of the
individuals were also needed to be on file which included fingerprint details.
Failing to comply with this requirement would result in that individual not
receiving the new Federal ID which was needed for many purposes like filing
I feel that the major issue with
this is that since fingerprint details are not changeable giving them away for
different reasons has a significant risk associated with it. Governmental
databases are always a target of different groups since they contain lot of
information. If the database containing fingerprint details is hacked then the
cracker or the group that hacked can access any account related to that person which
include bank accounts or credit score account.
Also in case of criminal
procedure an individual needs to give away the fingerprint details irrespective
of a person being convicted or not 1. Once the data is given it is always in
the database and there is no way of assuring that the data is removed
Who stores and access to the
Another fundamental flaw in
biometric authentication in general is that who will store and process the data,
also who has the right to receive and use the data 1. Since fingerprint data
is very sensitive it is very important for the fingerprint reader to be
trustworthy 1. The device which is storing and checking the fingerprint data
should not transmit the data to any untrusted or unauthorized source. If this
fingerprint data is released to the marketing people then this will serve as a
unique identifier of the user with respect to the product and services availed
by them 1.
One Scenario would be that in case
of a smartphone device whether or not the OS developer should have the right to
access the data. If a company decides that the developer should have certain
level of access to the data so that improvements to the authentication system can
be made. Then the major question arises is whether the developer is trustworthy
Suggestions to improve the current
working of Fingerprint Authentication in Mobile Devices:
Currently the implementation of