Hacking of new iPhone X biometric security offers lessons in user authentication

Entersekt Editor|19 December 2017
Hacking of new iPhone X biometric security offers lessons in user authentication

More companies are implementing mobile biometric authentication to increase security and reduce fraud. According to a recent report, the worldwide mobile biometrics market is expected to exceed $50.6 billion in revenue by 2022, growing from a base of $6.5 billion in 2016, but despite this growth, financial institutions and consumers harbor legitimate concerns about whether mobile biometrics actually delivers on its promise of improved security.

That concern is not unfounded. In the case of Apple’s early November release of iPhone X, it only took a matter of days for a Vietnamese security firm to hack the product’s facial recognition security system. The company’s simple conclusion, as reported by Wired magazine, belied the profound implications.

“Apple has done this not so well. Face ID can be fooled by [a 3D-printed] mask, which means it is not an effective security measure.”

If one of the world’s preeminent tech companies can be undressed so quickly despite the iPhone's sophisticated 3-D infrared face mapping and AI-driven modeling, how should customers feel about biometrics-based protections of mobile banking and other sensitive operations conducted on their own devices?

The run-down on biometric authentication

For Apple’s iPhone X, facial recognition replaced the device’s Touch ID fingerprint reader, but there are a host of ways that biometrics authentication can be implemented, including hand and finger geometry readers, handwriting recognition, iris scanning, voice print reading, vein and electrocardiogram recognition, among others.

When executed correctly, biometrics offer elevated security because every human being has his or her own unique fingerprint or other physical traits that enables them to quickly authenticate themselves and easily access the information or functionality they need without having to remember complex passwords or difficult security questions. When you add multiple data points — for example, not only a person’s signature, but also the amount of pressure on the pen and the speed in which it is written— it becomes nearly impossible to duplicate and defraud the user.

An obvious shortcoming of biometric records is that they can be stolen. In summer 2015, the US Office of Personnel Management (OPM) reported that the number of federal employee fingerprints compromised in a massive server breach was more than 5.6 million. And unlike passwords, these can’t be reset. Under a server-based biometric model, where multiple individual records are stored in one centralized platform, if someone is able to hack that server, a large number of people are now at risk.

To avoid large-scale theft of biometric records, most mass market solutions are designed never to share this data beyond the user-held device (e.g. the smartphone). The biometric solution simply informs the remote service that a biometric record has been matched successfully on the device. Mobile malware could just as well tell the remote service the same thing – without there having been a match at all. A stolen device can also provide hackers with opportunities to commit fraud – albeit in a very targeted attack – if they are able to replicate the user’s fingerprint or facial structure.

In either case, there is legitimate concern once biometric information is compromised, an individual may not be able to confidently use their own biometric information in the future, or that it could even be used against them. 

The more the better

Consumers may favor convenience over security, but the strategic objective for banks and other businesses has always been to decrease fraud without reducing the number of customer transactions. Through strong customer authentication (SCA), the best of both worlds can be achieved: 1) users feel secure and in control; and 2) financial institutions can securely confirm their customers and their intentions.

Multi-factor authentication is integral to SCA, which requires two or more authentication factors to ensure a device is secure. For example, financial institutions can authenticate consumers based on the user’s device (i.e., possession) and either a PIN (knowledge) or biometric feature (inherence or “something you are”).

With millions of people across the globe engaging in mobile banking, mobile wallets and other financial transactions, institutions must uniquely identify and communicate with each of them directly over a mutually validated, end-to-end encrypted channel. Biometrics can strengthen the customer authentication process, but as we have seen in the case of the iPhone X, it shouldn’t be the sole factor.

With secure and hassle-free interactions, including real-time push notifications and easy accept-or-reject prompts, financial institutions can achieve their goal of security, while also providing customer convenience. Confidence on both sides of the mobile transaction leads to a frictionless user experience with greater consumer trust, and that is definitely good for business.

About the author

Entersekt Editor

Entersekt Editor

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.