These days, our cell phones are more than just phones. Our phones are our cameras, our personal calendars, our entertainment devices, our news sources, and more. As the cell phone becomes increasingly pivotal to our lives, more data is generated, collected and stored. Just imagine: if someone could access your phone they could have access to all your social media, financial accounts, location history, and pictures, and could get up to some serious mischief. This is why it’s so important to have security measures in place––something that phone manufacturers take seriously these days.
Take Apple and Samsung, the two biggest manufacturers in the world; they highly recommend you connect your phone with your Apple/Samsung account and set up a passcode or PIN so that in case your phone is ever lost you can prevent easy access, or even wipe it remotely. Even these methods aren’t bulletproof, however, which is why today you’ll see more and more phones implementing fingerprint scanners in an effort to bolster security. Rather than creating a password, you are the password!
Sounds good, but is it safe?
Optical Scanning: Our First Foray into Fingerprinting
Colloquial understandings of fingerprinting technology suggest that scanners simply take pictures of a fingerprint and store them on the device, or perhaps upload them online. In the early days of fingerprinting this was certainly the case, as optical scanners were employed; these scanners would essentially take pictures of a fingerprint and make note of unique ridges or marks by analyzing how light would bounce off of the image.
The problem? If you’ve ever seen a spy movie you’ll know these scanners are relatively easy to fool. Although using a piece of tape to capture a fingerprint off of a doorknob and placing it over the sensor seems farfetched, it’s not too far off. As the optical sensor simply analyzes a two-dimensional picture it can be successfully bypassed using a prosthetic or a high quality image of a fingerprint.
Now think: how many detailed pictures of my fingerprints are out there? The answer is most likely “none” but the point stands that optical sensors can be fooled more easily than we’re comfortable with. Further, optical scanners tend to be bulky owing to the LED light arrays that are required for an image to be taken in the first place. Thankfully, smartphone manufacturers are wise to the technical and security risks associated with optical scanning, meaning they’ve passed it up entirely in favor of the more modern and secure capacitive scanning.
TouchID, the Secure Enclave, and You
Apple takes great pride in its TouchID technology. You see, TouchID is a popular implementation of a capacitive scanner; this scanner works not by taking an image of a fingerprint, but by collecting mathematical data about a fingerprint, hashing it, and storing it in a separate part of the phone Apple dubs the “Secure Enclave.” The secure enclave is really just a distinct processor in the phone, the sole purpose of it being to encrypt fingerprint data with 256-bit AES encryption and to prevent this data from being tampered with.
As the secure enclave exists apart from the phone’s internal memory and operating system, it cannot be accessed or forced to run any code apart from fingerprint verification that is initiated from the main operating system. There is no point in the process where your physical fingerprint is stored or communicated anywhere; rather, verification takes place in the form of an encryption key exchange that verifies the fingerprint and passes along the “okay” to the operating system to tell it to unlock the phone or to authorize purchases.
Apple is not the only one practicing a secure enclave, as well. A large number of prominent manufacturers, including the likes of Samsung, LG, Huawei, Microsoft, Google, and Qualcomm, have joined a consortium called the FIDO Alliance that works to implement authentication standards across devices. Fingerprint storage and authentication as part of the FIDO Alliance works the same way as TouchID/Secure Enclave; fingerprints are stored mathematically on a separate processor (commonly known as the Trusted Execution Environment) that cannot be accessed by the main operating system or apps, meaning your fingerprint data never leaves your phone.
So What’s the Verdict on Fingerprints?
Be it Apple, Samsung, or any of the other prominent smartphone manufacturers, rest easy knowing your fingerprint data is protected using a combination of powerful cryptography and secure hardware checks. Fingerprints offer a convenient way to secure your phone and to avoid having to remember your password, while being stored locally and not uploaded to the cloud somewhere. Short of being physically forced to unlock your phone with your fingerprint, fingerprint authentication is a viable alternative and one that is very, very hard to crack without significant time, effort, and resources.
About Ravi Persaud
I am interested in the intersections between the Internet and the real world; that is, how technology fundamentally shifts personal data and our private lives to become more accessible, effecting our privacy in a digital age.