Looking back on this year’s Mobile World Congress (MWC), it was clear that every major player in the mobility industry wanted to stand out in the heavily saturated mobility industry’s sea of products. From Huawei introducing the sleek foldable smartphone, to a Nokia phone with five integrated cameras, each business was peacocking their latest devices at this year’s event.
While there were many interesting announcements from the annual event, it was Samsung’s latest release, the S10, that caught our attention, specifically its latest security measures, and its journey to developing a passwordless experience for its customers.
The Samsung device leverages different methods of mobile security measures, including the world's first ultrasonic in-screen fingerprint scanner, a nifty feature which unlocks the Galaxy S10 using sound waves.
Samsung has also once again integrated facial recognition in its devices, which first appeared in the ill-fated Galaxy Note 7. Similar to Apple’s Face ID, users can access their phones using facial biometrics. Once a novel idea we once considered only in science fiction, facial recognition has now matured and become available to smartphone users around the world who prefer a modern layer of security.
Is biometric recognition a layer of security or just a convenience?
There has been much talk regarding whether facial recognition and fingerprint scanners are a viable form of security. In particular, the facial recognition function has been called into question once again with the latest release from Samsung. The S10’s facial recognition was publically spoofed in a matter of weeks after its launch, and videos continue to surface displaying how simple, drawn pictures can produce false positives, unlocking the device with ease.
Interestingly, unlike past responses from both Apple and Samsung that continued to promote their facial recognition as a security feature after they were spoofed, Samsung quickly stated that its latest fingerprint scanner is much more secure than their facial recognition and therefore could be used instead.
Why fingerprint technology can be an inadequate security measure
In a bid to usher in the age of passwordless security, mobile manufacturers have integrated fingerprint scanners into their devices. Using this biometric method, customers can access their data using their fingerprint and the manufacturers have positioned this as a secure method of protecting data, and ultimately highly resistant to spoofing.
But in this use case, there are some inherent issues. Fingerprints can wear down, and not work when wet or very dry or when the sensor is dirty. But a vast majority of sensors also don’t truly identify the actual user for proper authentication, they only actually identify the relationship to the device itself – the fingerprint itself is associated with the specific device – as a fingerprint can be duplicated well enough to pass as proper identification. Widely available resin adhesive has been used to create a thin film, for example, to mark attendance for friends at school. Also, it has been reported that not only can fingerprint be counterfeited (even from a photo taken at a distance), but what most fingerprint sensors capture – partials of a fingerprint – are not that unique, particularly to inexpensive sensors like those found on typical mobile phones. Altogether, this casts some doubt on Samsung’s claims regarding their under-screen, ultrasonic sensor, but it is surely a better solution than previous attempts as, unlike standard sensors, it is looking for something that only a live person can provide – not necessarily, though, the legitimate live person.
In most cases, just relying on one popular authentication method is not enough.
Is two-factor authentication (2FA) a foolproof method of security?
The logic is, if one factor is good, then two are better. The inherent problem with that position is if one of the factors is weak, then the attack surface just becomes larger, not smaller. In addition, there are many combinations of 2FA where both are relatively easy to acquire through phishing or brute force attacks. Some experts argue that facial recognition used in conjunction with fingerprint sensors could be a foolproof way of protecting data on personal devices. But, organisations cannot rely on a device and a biometric together on the same “channel”. Moreover, in addition to being independently truly robust, 2FA factors must be independent of each other and one cannot compromise the other. Typical fingerprint implementations in cases like these work for low-risk operations, but for high-risk transactions, it is not enough.
2FA has been bypassed using several different methods, including automated phishing attacks. At least as importantly, because it takes more time (higher “user friction”) the inconvenience has already proven to be more of an impediment to daily use than the value in the promise of higher security was to embrace it.
Why certified liveness detection is essential for anti-spoofing
Face biometrics have gained favor, and for many reasons. Besides the undeniable fact that humans recognize each other primarily through their faces, it is not intrusive to use, faces provide a tremendous amount of data to a sensor for much higher levels of certainty, and access to them is easier in a much wider variety of day-to-day circumstances. But, like other modalities, if not properly implemented, face can be compromised. While better accuracy itself in facial recognition matching is always welcome, it still does not verify what the camera sees is a live human; arguably the most critical factor in authentication. True liveness detection in face authentication (of which facial recognition is a part of) is the ability to verify dozens of unique human traits in real-time. Liveness detection proves the legitimate, correct person is alive and present at the time of access, and not a non-human representation of the real person, like a photo, video or mask.