The Samsung Galaxy S5 fingerprint sensor has been spoofed - what can be done to prevent it

With the recent news that researchers from SR Labs in Germany have successfully fooled (spoofed) the Samsung Galaxy S5's integrated fingerprint sensor; allowing unauthorised access to the device and the ability to make payments using the PayPal app, there are questions as to how secure fingerprint biometrics are for authentication. These questions are justified. 

An authentication solution can be convenient but it must also be secure.  

A fingerprint biometric can be more convenient than using a PIN or password especially on a mobile phone. By touching or swiping a finger over a sensor a person can quickly unlock a device, gain access to an account or make a payment. However, if the sensor can be easily fooled than the solution is fundamentally flawed. 

The key point in my last sentence was "easily fooled". Attacks on fingerprint biometric systems are relatively difficult to carry out. As Marc Rogers from Lookout Mobile Security pointed out in his blog from last year -  "Why I hacked Apple's Touch ID and still think its awesome" - an attacker needs access to the device and then use a lot of kit to physically create the fake fingerprint. As Rogers stated this can be "tricky" and probably not within the reach of your average street thief. However, with the right equipment and a little ingenuity it can be done. 

So what can be done to ensure we benefit from the convenience of biometric authentication on mobile devices but also have a level of assurance that the solution is difficult to spoof and attack? 

One solution is to improve the anti-spoofing solutions within the biometric system. NexID Biometrics develops spoof mitigation and liveness detection solutions including its Mobile Live Finger Detection (LFD) software. The company claims that the solution can help ensure that the fingerprint system is not spoofed and states that authentication accuracy is as high as 94-97 percent. 

I spoke with NexID Biometrics' COO, Mark Cornett, to get his views on this and he said; "While Apple validated the convenience of fingerprint authentication on mobile devices, the spoof of the iPhone 5S should have sent a signal to other device manufacturers that while providing users with convenient authentication, the current level of security is vulnerable to spoofing. The layers of security for unlocking mobile devices and their applications needs to be stronger to properly meet the needs of users, and facilitators of mobile commerce and BYOD policies. Now that the two largest distributors of mobile devices in the world have had their solutions spoofed, they will hopefully add liveness detection solutions to mitigate this vulnerability and thereby instil confidence in the use of mobile device fingerprint authentication."

As well as anti-spoofing and liveness detection solutions there are other tools that can be deployed to improve the security of these emerging authentication solutions. This include combining biometric authentication with other factors as part of a multi-factor authentication solution - especially useful for step-up verification where a highly level of user assurance is required. 

I am a big fan of behavioural, or gesture, biometrics where the device learns about how a specific user engages with their mobile device to create a profile that can be used as part of a risk-based authentication solution. By combining behavioural biometrics with fingerprint authentication a greater level of trust in who is actually using the device can be created. And when an unauthorised user attempts to spoof the system by using a gummy bear or wood glue mould then the authentication service can request for another level of authentication to ensure that it is the valid owner of the phone and service. The link between the end user authentication client and cloud-based risk-based (anti-fraud) solutions, especially in financial services, cannot be underestimated. 

There are ways in which you can improve the security of mobile-based biometric authentication solutions and deter the type of spoofing attack that has been witnessed with the Samsung Galaxy S5 - I have just touched the surface in what is possible. 

However, an enhancement to the security of the biometric solution should not come at the expense of convenience and usability. 

Mobile device manufacturers and service providers are turning to biometrics because they can enhance the usability of the authentication experience - this must not be altered.

Samsung leads the way in mobile biometrics with the Samsung Galaxy S5

In an announcement to a packed auditorium at Mobile World Congress 2014 on the evening of the 24 February 2014, Samsung launched their latest flagship Galaxy smartphone, the S5, containing an integrated fingerprint sensor.

We still need more information on the specifics of how the sensor will operate and interact with the associated services but this is what we know.

The S5 fingerprint sensor is a swipe located on the front of the device underneath the physical home button.

In a promising move from Samsung, they have initially linked the sensor to four consumer and enterprise services that include:

• Phone unlock
• Private Mode protection. To protect important documents contained in a secure vault
• Mobile payments via the pre-installed PayPal app
• As part of a multifactor authentication (MFA) solution (Fingerprint + Password) for Knox 2.0 authentication

According to reports, the fingerprint service cab register three separate fingerprints and takes up to eight swipes to initially register a user's fingerprint as part of the enrolment process.

The mobile payments app is provided by PayPal who have been working on the development of the supporting ecosystem for a number of years. By leveraging a combination of hardware and software services that include:

• Integrated fingerprint sensor
• Hardware security environment provided by TrustZone (Secure Element, SE and Trusted Execution Zone, TEE)
• Secure authentication protocol and infrastructure (mobile client and server) as part of FIDO Alliance OSTP and commercialised by Nok Nok Labs
• Merchant service infrastructure to support PayPal mobile payments

Hill Ferguson, chief product officer, PayPal, commented on the development; "By working with Samsung to leverage fingerprint authentication technology on their new Galaxy S5, we are able to demonstrate that consumers don't need to face a tradeoff between security and convenience."

By leveraging the FIDO-ready software, PayPal says that customers can use their finger to pay on the device securely without revealing their fingerprint templates. The FIDO-aware software, created by Nok Nok Labs, communicates between the fingerprint sensor on their phone and its service in the cloud. The only information the device shares with PayPal is a unique encrypted key that is used for identifying the customer without having to store any biometric information on PayPal’s servers.

The fingerprint template is securely stored within the SE and is protected by ARM’s TrustZone environment. This makes it difficult to access or tamper with the biometric template and also allays privacy concerns of having to store a fingerprint in a networked database.

This is extremely positive news for the whole industry.

This is an extract from an analysis of the Samsung S5 found in a Goode Intelligence Market Intelligence report (Fingerprint Biometrics Market Intelligence third edition)