Skip to main content

Touch ID auth - a boon or bane?

With advancement of technology, applications are moving towards modern way of authentication from a traditional one. More and more biometric based authentication are being used apart from the password based. One of such example would be- Touch ID. Touch ID uses users' fingerprint to authenticate the user to device/ app.

How does it work- On a high level, when a user registers to choose to authenticate to his phone using his/ her fingerprints, the fingerprints are gets stored on the device in form of hashes. Next time when user tries authenticate self and submits his/ her fingerprints, the device matches the submitted fingerprint hash with the ones with already stored and takes decision whether to authenticate him/ her or not.

Sounds good, but what's the issue- It's a very convenient technology to open the phone with just a mild touch of your fingerprint. No need to remember/ change/ maintain PIN or passwords. It's more secure because it's completely unique, and it does not suffer from security issues which traditional ones suffer- guessing, brute-force, stealing etc.
Now, another side of the coin- security. How secure it is- it's pretty secure- till there's only one user registered. How about multi-user registration on same device- eg, husband and wife.
Now again, how about the apps using the Touch ID as an authentication- As mentioned above, one user, it's fine. Multi-user, if all are intended user of the app, again fine. But if not- in cases where if two friends have registered on the same phone to use it as a common phone to use all the apps- except sensitive ones such as banking apps. Each of the friends can access each other's account- sounds scary? Let's replace friends with acquaintances.

Many apps don't take care of the above scenarios. A trusted friend-turned-disgruntled steals the the phone and authenticates him/ her self to access other's account. Or, in a complex case, the phone is stolen by a third person, roots it ad replays the touch id tokens. Most of the apps have MFA- muti factor authentication- such as SMS OTP- but these are effective against traditional password based remote attacks. But not in this scenario- because the phone is already in attacker's possession and the SMS OTP would be received on the same device, defeating purpose of MFA. 

So there has to be some limitation/ controls on use of Touch ID authentication so that there's a fine balance between usability vs security. A few approaches are discussed below:

  • For the apps using Touch ID must take extra care on what to display and what not 'be default'. One default case would be just showing account summary/ balances. 
  • If someone try to gets past that screen, another form of MFA which is out-of-band which is not delivered on the same device must be used. Examples would be, hardware tokens. SMS OTP on same device is not an effective control.
  • Supplemented by account login passwords/ soft tokens, which are unknown to the attacker
  • Clearly devise a policy as what kind of transactions are protected by which control. For example, for High risk transactions, we need to have hardware tokens or randomly generated soft tokens protected by a static PIN which is only known to the legitimate user. Needless to say all of should be validated on server side.
All of the approached can be used in order to achieve mix and match between usability and security.

Comments

Post a Comment

Popular posts from this blog

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated. Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string. This can be used for the bypass. It works for many servers, specially php servers. T...
1 comment
Read more

'Information Leakage-Improper Error Handling' dropped

From Owasp Top 10 2010 List, the issue 'Information Leakage-Improper Error Handling' has been dropped. But it's not the final list,its child release actually. Bu I feel it shouldn't be set aside because its still the one of the prevalent issues these days. That's why I mailed to Dave Wicher: Hi Dave, Excellent work, Congrats! Just one little query- Don't you think that Information Leakage & Improper Error Handling still deserves to be in Top 10? Dave replied: This topic is clearly a very prevalent issue that deserves attention by most organizations. However, the typical impact of such a flaw is usually very low. Therefore, the overall risk of this type of flaw is lower than the other items in the top 10, which is why it was replaced in this update with one of the 2 new items. Regarding dropping Info Leak/Error handling - It is incredibly prevalent, no question. But their impact is typically very low, so the overall risk is low, which is why it fell out of t...
3 comments
Read more

jtool - an alternative to otool

jtool comes with a capability of running on Linux environment. Some ipa scanning tools are created to run on Linux environment where mac environment is not available. In such cases tools such as otool and class-dump-z will not work. So jtool can be an alternative to otool. For more information on jtool please refer to http://www.newosxbook.com/tools/jtool.html . It lists down various commands which have same output as otool or a equivalent. There are several commands mentioned in link. But for our customized requirements and basis checks I have listed down the below ones after running on many binaries. The outputs are similar or equivalent to otool and class-dump-z: Commands for checking PIE flag (ASLR) in jTool jtool -d -v -arch | grep stack ·           Automatic Reference Counting (ARC) protection: jtool -d -v -arch | grep _objc_release ·           To check if the devic...
1 comment
Read more