Touch ID auth - a boon or bane?
With advancement of technology, applications are moving towards modern way of authentication from a traditional one. More and more biometric based authentication are being used apart from the password based. One of such example would be- Touch ID. Touch ID uses users' fingerprint to authenticate the user to device/ app.
How does it work- On a high level, when a user registers to choose to authenticate to his phone using his/ her fingerprints, the fingerprints are gets stored on the device in form of hashes. Next time when user tries authenticate self and submits his/ her fingerprints, the device matches the submitted fingerprint hash with the ones with already stored and takes decision whether to authenticate him/ her or not.
Sounds good, but what's the issue- It's a very convenient technology to open the phone with just a mild touch of your fingerprint. No need to remember/ change/ maintain PIN or passwords. It's more secure because it's completely unique, and it does not suffer from security issues which traditional ones suffer- guessing, brute-force, stealing etc.
Now, another side of the coin- security. How secure it is- it's pretty secure- till there's only one user registered. How about multi-user registration on same device- eg, husband and wife.
Now again, how about the apps using the Touch ID as an authentication- As mentioned above, one user, it's fine. Multi-user, if all are intended user of the app, again fine. But if not- in cases where if two friends have registered on the same phone to use it as a common phone to use all the apps- except sensitive ones such as banking apps. Each of the friends can access each other's account- sounds scary? Let's replace friends with acquaintances.
Many apps don't take care of the above scenarios. A trusted friend-turned-disgruntled steals the the phone and authenticates him/ her self to access other's account. Or, in a complex case, the phone is stolen by a third person, roots it ad replays the touch id tokens. Most of the apps have MFA- muti factor authentication- such as SMS OTP- but these are effective against traditional password based remote attacks. But not in this scenario- because the phone is already in attacker's possession and the SMS OTP would be received on the same device, defeating purpose of MFA.
So there has to be some limitation/ controls on use of Touch ID authentication so that there's a fine balance between usability vs security. A few approaches are discussed below:
- For the apps using Touch ID must take extra care on what to display and what not 'be default'. One default case would be just showing account summary/ balances.
- If someone try to gets past that screen, another form of MFA which is out-of-band which is not delivered on the same device must be used. Examples would be, hardware tokens. SMS OTP on same device is not an effective control.
- Supplemented by account login passwords/ soft tokens, which are unknown to the attacker
- Clearly devise a policy as what kind of transactions are protected by which control. For example, for High risk transactions, we need to have hardware tokens or randomly generated soft tokens protected by a static PIN which is only known to the legitimate user. Needless to say all of should be validated on server side.
All of the approached can be used in order to achieve mix and match between usability and security.