By Igor Magun
The Samsung Galaxy S8 launched last week, packing a trio of biometric lock options. But as with any security mechanism, it’s worth asking–just how secure are biometrics?
“Biometrics” refers to physical characteristics that can be used to identify someone, like fingerprints. By their nature, they should be stored with extra care. Unlike a password, you can’t just change your fingerprints or irises if they’re compromised. But when done right, the data stored by your device cannot be used to recreate them.
Take Apple’s Touch ID fingerprint scanner, for instance. The device stores a mathematical representation of fingerprints in the Secure Enclave, a separate processor which the operating system has no direct access to. The operating system only ever receives a “yes” or “no” message from it, indicating if a fingerprint matches the one it has on record. The data never leaves your device, not even during device backups.
It’s important to note that the fingerprint data stored in an iPhone is not detailed enough to accurately recreate a fingerprint, even if someone accesses and converts the mathematical representation to an actual image–which Apple says cannot be done. That’s because the process used does not collect certain small details about your fingerprint.
This process comes with a drawback, however–there’s a one in 50,000 chance that someone else’s fingerprint can match your own, according to Apple. For comparison, there are 10,000 possible combinations for a four-digit PIN, and one million for a six-digit PIN. Apple reduces the impact of this issue by requiring the device password after five failed fingerprint attempts.
The reason I use Apple as an example is because other companies, Samsung included, lack the same transparency around how they store biometric data. Apple covers Touch ID and other security mechanisms extensively in their iOS Security Guide, which was updated as recently as last month.
Samsung has made public statements to news publications and government officials which suggest they store biometrics in much the same way Touch ID does, but it shouldn’t be so hard to find this info. Searching their website doesn’t turn up any more detailed explanations. Samsung isn’t alone here either–a quick search of Motorola, LG and HTC’s websites turns up no details on the security of their fingerprint readers.
Given biometrics’ rising popularity, manufacturers need to be more transparent about how they deal with them. We’ve already seen vendors get them horribly wrong, like when the HTC One Max stored unencrypted fingerprint images in a folder that could be accessed by any app on the phone.
Some biometrics will always have their drawbacks–fingerprints are inexpensive to spoof, for instance, and the facial recognition on Samsung’s Galaxy S8 can be easily tricked with a photo. But everyone has a different threat model, and with the right information, we can all better evaluate what kind of protection makes sense for us.