Saturday, January 17, 2015

On fingerprint security in Android

Yesterday I read this article about how the upcoming Samsung Galaxy S6 will probably have a fingerprint reader in the style of the recent iPhones, as opposed to the swipe style reader that didn't seem to work nearly as well.  This was mildly exciting, except for the fact that: (1) I'm more of a "stock" Android guy, and not a big fan of Samsung's TouchWiz UI; (2) this isn't the first tap style fingerprint reader on Android (see Huawei Ascend Mate7), though from what I can tell it will be the first on the front of the phone; (3) this will still rely on Samsung's fingerprint processing infrastructure, as fingerprint support didn't make it into Android 5.0.
But still...progress is progress.  And when Google does get around to putting fingerprint support in the Android OS, the fact that the biggest Android OEM will likely have decent hardware to support it is probably a good thing.

This gets me to the question of whether fingerprints are a good security mechanism.  The short answer is that they are probably good enough.  At least better than the most common methods people otherwise use to secure their mobile devices: no security mechanism, or a 4-digit PIN.  Fingerprints do have their downsides, though: (1) they can be spoofed, even just from public photos; (2) once you "lose" your fingerprint, you can't change it like you can change a password/PIN.

So this got me to thinking...  What if we could combine fingerprints with other security features?  The idea that popped into my head was a combination with the Smart Lock feature currently available in Android 5.0.  If you have a PIN or pattern lock screen, this feature allows you to skip the PIN/pattern if you are connected to a trusted device (e.g., car Bluetooth) or are at a trusted place (e.g., home).  It also includes face scanning (i.e., trusted face), but the potential for false positives there seems too large to trust.  Anyway, my idea is to combine fingerprint reading and trusted device (or maybe trusted place, though location data can be fuzzy).  So if you are connected to your home WiFi or your car Bluetooth, you could unlock your phone/tablet with a quick fingerprint scan, instead of entering your (hopefully long) lock screen PIN.

Someone please make this happen.