Skip to main content

Touch ID auth - a boon or bane?

With advancement of technology, applications are moving towards modern way of authentication from a traditional one. More and more biometric based authentication are being used apart from the password based. One of such example would be- Touch ID. Touch ID uses users' fingerprint to authenticate the user to device/ app.

How does it work- On a high level, when a user registers to choose to authenticate to his phone using his/ her fingerprints, the fingerprints are gets stored on the device in form of hashes. Next time when user tries authenticate self and submits his/ her fingerprints, the device matches the submitted fingerprint hash with the ones with already stored and takes decision whether to authenticate him/ her or not.

Sounds good, but what's the issue- It's a very convenient technology to open the phone with just a mild touch of your fingerprint. No need to remember/ change/ maintain PIN or passwords. It's more secure because it's completely unique, and it does not suffer from security issues which traditional ones suffer- guessing, brute-force, stealing etc.
Now, another side of the coin- security. How secure it is- it's pretty secure- till there's only one user registered. How about multi-user registration on same device- eg, husband and wife.
Now again, how about the apps using the Touch ID as an authentication- As mentioned above, one user, it's fine. Multi-user, if all are intended user of the app, again fine. But if not- in cases where if two friends have registered on the same phone to use it as a common phone to use all the apps- except sensitive ones such as banking apps. Each of the friends can access each other's account- sounds scary? Let's replace friends with acquaintances.

Many apps don't take care of the above scenarios. A trusted friend-turned-disgruntled steals the the phone and authenticates him/ her self to access other's account. Or, in a complex case, the phone is stolen by a third person, roots it ad replays the touch id tokens. Most of the apps have MFA- muti factor authentication- such as SMS OTP- but these are effective against traditional password based remote attacks. But not in this scenario- because the phone is already in attacker's possession and the SMS OTP would be received on the same device, defeating purpose of MFA. 

So there has to be some limitation/ controls on use of Touch ID authentication so that there's a fine balance between usability vs security. A few approaches are discussed below:

  • For the apps using Touch ID must take extra care on what to display and what not 'be default'. One default case would be just showing account summary/ balances. 
  • If someone try to gets past that screen, another form of MFA which is out-of-band which is not delivered on the same device must be used. Examples would be, hardware tokens. SMS OTP on same device is not an effective control.
  • Supplemented by account login passwords/ soft tokens, which are unknown to the attacker
  • Clearly devise a policy as what kind of transactions are protected by which control. For example, for High risk transactions, we need to have hardware tokens or randomly generated soft tokens protected by a static PIN which is only known to the legitimate user. Needless to say all of should be validated on server side.
All of the approached can be used in order to achieve mix and match between usability and security.


Popular posts from this blog

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated.
Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string.
This can be used for the bypass. It works for many servers, specially php servers. Th…

SQL Injection in search field

Earlier I had written about performing SQL injection in search field and how to do a DoS attack and privilege escalation using 'Like' operators. Now another SQLi exploitation I came across recently. That too in the search field. This becomes important as lots of people don't pay much attention on the search forms/ fields in the application. My aim is to show that a search form can also be exploited with SQL Injection. The following queries are based on a real world exploitation. The steps and data are for just illustration purpose only. Suppose, the search form provides the details of users who have accessed the application some time and their login time details etc, we just need to provide their name in the search box provided. All the data were being going as Post request. So, to just fingerprint the database, I provide, 'nil'+'esh' in the search field and it successfully gives me the results. That means the database behind the application is concatenat…

Insecure protocols

Some basic insecure protocols and risk associated with them: