Find articles from my Blog Archive:

Monday, 7 October 2013

Smartphone Security and Touch ID

My door at home has two locks on it. I have a “Yale” lock that's there for convenience; when I shut the door it locks automatically. When I'm in the house this is sufficiently secure. But when I go away I also put the key in my “chub” lock and double-lock the door. The Chubb lock is more secure, but very inconvenient to use if I'm in and out of the house a lot. I also have a burglar alarm. It's a bit of a pain because I need to enter a code to disarm it. My home security is a series of barriers. It's not perfect; if a professional thief wants to deactivate my alarm and pick my locks, I'm sure (s)he can. But for most burglars my security is good enough to keep me secure. My security is also graduated - the most secure parts of my system are the most inconvenient. There's a trade off between security and convenience. I often choose convenience over security; setting the alarm and double-locking the door when I'm doing some gardening would seem overkill and definitely a right pain-in-the-neck, so I just use the Yale lock in such situations.

It seems to me that security on smartphones, and IT in general, is similar to my house security, namely:

  1. I can get super-secure, but it's at the risk of convenience. Super-secure often means super-inconvenient.
  2. If security is too inconvenient I'm likely to not use it.
  3. It's impossible to prevent a determined thief with a lot of resources, so it's about appropriate security and manageable risk, not about ultimate security.
  4. The security of a system should be assessed on the basis of the end-to-end nature of the security systems, not of the hackability of one individual item in that system.
  5. The average person in the street does not need, cannot afford, and would find the intrusiveness of the Bank of England's security unacceptable.

There has been quite a bit of discussion around Apple's Touch ID fingerprint sensor. It's novel to see biometric identification used in a high-volume consumer electronics device, so it's natural for the industry to explore the implications of this. However, I've noticed a fair degree of confusion about both how Touch ID works and what its purpose is.

Touch ID is about convenience, not super-security

In Apple's introduction of Touch ID they focused on it as way of providing security with increased convenience. The presentation highlighted the the fact that nearly 50% of smartphone users do not have a passcode lock because of the inconvenience. Touch ID was presented as a solution to security with convenience. It was not positioned as some form of James Bond super-secure breakthrough. Apple's target is always the mass-market of consumers, not niche subsets, and Touch ID is very clearly trying to help average consumers increase their level of smartphone security.

Human nature

Human nature is that we will try to avoid things we perceive as an inconvenience. People write their PIN numbers on post it notes in their wallets. Would you believe the most common pin code is 1234? Or that Nearly 50% of consumers choose not to activate a passcode on their phone? It doesn't matter what the implications are, the evidence is that if being secure is too much of a barrier, or just a barrier, a lot of people will find a way around it and “blow the consequences”.

When designing a security system we need to be aware of basic human behaviour. Just as my house has a level of security I would never use when gardening, so it is with smartphones. People cannot remember super-secure passwords, they cannot remember lots of passwords, entering them on a smartphone keyboard is a pain in the neck. As a result, the industry is starting to find ways of increasing the convenience of security in order make it easier for people to use, so that they don't circumvent the mechanisms offered. This is the problem I think Touch ID is trying to solve, ie convenience, not trying to provide a high-end security solution. As a user of Touch ID I can say with total confidence that it really is a revolution in convenient security. It's so easy to use you almost don't realise it's doing anything; its security that gets out of the way.

Existing solutions are far from perfect

4-digit passcodes are easy to guess and many people use memorable dates, drastically reducing the numer of possible choices from the maximum.

Passcodes are also very easy to capture by watching someone type them in.

We even leave smudges on our smartphone screens that allow thieves to easily guess our passcodes.

So, the current state of smartphone security is far from perfect and new innovations need to be judged against that imperfect state, not an assumed nirvana.

Touch ID is only one part of a bigger security system

Focussing on Touch ID only misses the point of Apple's approach to security. Touch ID sits in a wider security ecosystem and that makes the system more secure than any one component in it.

Firstly, it's importent to understand that Touch ID complements a passcode, rather than replacing it. With Touch ID enabled you still need a passcode and the phone requires you to enter that passcode:

  1. If you've not entered you passcode in the last 48 hours and try to use the phone, you will be required to enter your passcode rather than use Touch ID.
  2. If you fail Touch ID verification five times, Touch ID is disabled and you are required to enter your passcode.
  3. After a reboot of the phone, Touch ID is disabled until you enter your passcode.

Apple also provides a secondary security layer in the form of 'Find my phone'. This system is designed for situations where you have lost your phone. It allows you to logon to the iCloud website and locate your phone on a map. There are many fascinating stories of people who have retrieved their phones from thieves after using this service, so it has real utility. You can also remotely put a phone into lost mode through Find my Phone. Once in lost mode:

  1. Touch ID is disabled and you must enter a passcode.
  2. You set a message and phone number to call that are displayed on the phone's screen.
  3. The phone is locked to only be capable of calling the number you specify.

In iOS7 this is further strengthened with activation lock, which means a thief needs your AppleID and password (different to you phone's passcode) before they can:

  1. Turn off 'find my phone'
  2. Erase your phone
  3. Reactivate or use your phone

The security of Activation Lock was met with initial skepticism, but it hasn't been circumvented yet and appears to be effective. In fact, the New York police were so impressed they've actually been handing out flyers encouraging iphone users to upgrade to iOS7 in order to use Activation Lock and hopefully reduce phone theft.

Find my Phone and Activation Lock make it a trivial matter to securely disable the phone, and Touch ID, if it is lost. Given the way we all carry our phones with us all the time, there's a good chance that, in the worst circumstances, you'll notice your phone has gone missing and be able to deactivate it before the thief creates and uses any 'fake' fingerprint.

The security of the end-to-end system, taking into account the way passcodes are used with Touch ID, Find my Phone and Activation Lock, is much greater than any single aspect of security. It's a really good example of security system engineering and a rare one. Most security solutions seem to have been engineered in isolation, rather than as a part of some larger scheme.

Can aspects of this system be hacked? Maybe. If they are hacked, will Apple respond and prevent the hack? Almost certainly. Although reports of the possibility to make 'fake' fingerprints have emerged, there are good reasons to believe this isn't a big risk. Firstly, the faker needs a good quality fingerprint, not smudged, to work from. Secondly, the process is pretty laborious and takes a good number of hours. Thirdly, the secondary barriers of Find my Phone and Activation Lock limit the potential exposure. Most of us would have put the phone into lost mode, disabling Touch ID in the process, before anyone can apply any fakery. It's possible to circumvent it with some luck and a degree of skill, but probably still easier to threaten physical violence to obtain a passcode.

Time will tell, but the indications are that we have a very effective end-to-end security system designed to help most of us with real convenience.

For those that are nervous about Touch ID, they can opt out. It's use is entirely optional and there is no compulsion to activate it.

Biometric and passwords?

Some have called for Apple to allow passwords to augment Touch ID, ie that the user should always need to enter a passcode and fingerprint verification. The theory being that a combination of password and fingerprint would be very hard to crack. This may be true, but it misses the point of Touch ID. Apple's focus is to increase the convenience of security, not to provide the highest possible level of security. Apple could, in theory, provide the option to use both password and fingerprint, but I personally think its unlikely. Doing so would divert attention from the cause of convenience and Apple is well known for its focus on delighting the rump of consumers, rather than small niches. So no, Touch ID is not about super-high-end security; it's about increasing the convenience of security that is appropriate for most of us.

Mobile payments increases the need for convenience

We have seen an enormous proliferation in mobile payments solutions, but none of them have achieved critical mass yet. I would argue that some of these cannot achieve critical mass because they are more cumbersome than using a plastic card. Anything which requires a confirmation on the phone will need many of us (ie those that do have a passcode set) to enter our phone's passcode, find and launch the app, enter some app-specific passcode to authenticate the purchase. This is clearly not viable in a high volume retail environment. There is no chance my mother, or even my wife, could be bothered.

The inconvenience of authentication is why NFC implementations have no security at all, and instead rely on a transaction limit of £15 (in the UK). But a transaction limit of £15 forces NFC into a niche of sandwich and coffee shop purchases, rather then being a true next-generation payment solution. We are, in effect, stuck between two extremes; the completely-insecure and the secure-but-so-inconvenient-few-can-be-bothered. Touch ID, and no doubt the similar copies that will follow, present an interesting possibility for authentication that is “good enough” and super-convenient. Apple is rightly being cautious with Touch ID's potential; today it can only be used to purchase content from Apple's own online stores. No doubt, as the technology beds down, this may be opened up for others to use.

Before you start stressing about the potential to copy a fingerprint and use that to buy things, reflect on the fact that we still rely on signatures to secure high-value cheques. Our credit cards are only secured by 4-digit PINs that are super-easy for somone to read by looking over our shoulders. The requirement is not for absolute security, it's for convenient security that is “good enough” and a fingerprint is likely more secure than either a signature or 4-digit PIN. I, for one, think there is great potential here and am excited to see where this might take us.


No comments :

Post a Comment