The title of this post is borrowed from Dustin Kirkland's blog, in which he discusses in some detail the issues with biometrics being used as a method of authentication.
When Apple launched Touch ID on the iPhone and iPad, I was skeptical. Fingerprints are not equivalent to a password or PIN in three major ways:
- You leave fingerprints everywhere, including the device that uses them to authenticate you
- You can't change fingerprints; if they're compromised, there's no recourse
- Fingerprints are something you are, rather than something you know
When you move from a PIN to fingerprints for authentication, it's important to understand these differences.
Identity vs. Knowledge
The third item calls out the distinction between identity and knowledge. There are both technical and legal implications of this distinction.
On the technical side, something you are can be leveraged against your will. It's perfectly possible to knock someone unconscious and use their fingerprint to unlock a device. In a more movie-plot scenario, the hero or villain will often cut off the scientist's hand to gain access to the lab. It's worth noting that there are equivalent techniques for passwords, though I'm not sure how often they are used in practice.
The legal side is more interesting. Back in 2013, Wired reported that the fifth amendment, which protects citizens from self-incrimination, applies for passwords and PINs, but not for biometric authentication. The courts have essentially enshrined the distinction between identity and knowledge in law. If this doesn't make sense, consider the long-standing practice of identifying and fingerprinting suspects when they are arrested, even against their will.
This legal interpretation was validated in a legal decision in 2015 in Virginia:
Judge Frucci found that Baust could not be compelled to provide his passcode to access the smartphone, but could be compelled to produce his fingerprint to access the phone.
It would not be so surprising if this precedent were upheld in other jurisdictions. In short, it seems that the government can force you to reveal aspects of your identity much more readily than they can coerce you to reveal information, especially if that information would incriminate you.
A Way to Force Password/PIN Unlock: LockPrint
Now that the Android ecosystem has gained fingerprint authentication via Nexus Imprint I've had a chance to play with it. I think fingerprints are an interesting trade-off between convenience and security, and are fast and easy enough to use that they might be a wonderful way to convince folks that would otherwise use no screen lock at all to have some form of authentication on their phone.
But here's my suggestion for Google: LockPrint. Users are already allowed to register fingers used to unlock their device, but I would love to see another set of fingers that could be used to lock it. Here's how it works.
The phone can typically be unlocked by having the user touch the sensor with a finger. When the fingerprint is read and matches one of the fingerprints registered to unlock the device, the screen comes on and the device is unlocked. With LockPrint, you could also register fingers, that, when scanned, would disable the fingerprint sensor and require that the device be unlocked using a password or PIN. This would allow you to, just by handling the phone in the act of handing it to someone or even reaching into your pocket or purse to fetch it, force it to require a password or PIN. This could be useful in dealings with criminals, law enforcement, or any situation out of the ordinary where you felt that your data should have a higher level of security than normal.
This approach would be similar to 'deniable encryption', a technique designed to avert 'rubber hose cryptanalysis' techniques. Deniable encryption permits encrypted data to be unlocked with multiple passwords, some of which reveal the real data, while others reveal a dummy payload designed to distract or misdirect the attacker. In the case of LockPrint, the locking fingerprint could be entered surreptitiously or overtly, but instead of unlocking the phone with no data made available, it would force a PIN to be entered to unlock the phone.
A more elaborate approach would be to have LockPrint unlock a blank user profile that allowed the phone to be unlocked and usable, but without providing access to any useful information or history. Meanwhile, the real profile would remain encrypted and only be accessible via password or PIN entry.