As expected, the fingerprint swiper in the new Samsung Galaxy S5 is just as susceptible to spoofing by a fake fingerprint, just like Apple's Touch ID on the iPhone 5s, and pretty much every similar fingerprint sensor on the market. But it also looks like there are few things Apple did right that Samsung might want to look into incorporating in the future.
Biometrics are part of the same classic trade-off of convenience for security. They're not as good as a long, strong pseudo-random password but they're much quicker and easier to enter. (And in a perfect world we'd have the option for passcode/word + fingerprint to get some even more secure multifactor authentication going...) Here's what I wrote about Touch ID last year following similar spoofing attacks, and the poor reporting that followed them:
- Is Touch ID secure enough to keep your iPhone 5s safe?
- Terrible reporting about iPhone security leads to people being less secure. Great job, media!
And the Galaxy S5 after announcement:
It looks like Touch ID has educated the market at least enough to take the brunt — and the letters from Al Franken — off Samsung's back. However, according to the SRLabs video above, however, there are some risks involved with Samsung's technology that Apple has chosen to minimize or avoid.
Firstly, Samsung apparently allows unlimited attacks on their fingerprint sensor. You can try fingerprint after fingerprint and it will happily let you. Apple's Touch ID limits you to 5 unsuccessful attempts, then demands a passcode or password. If someone makes a perfect spoof immediately, that won't matter. If not, or if it doesn't register properly the first few times, it could help.
Secondly, Samsung allows fingerprint authentication even after the Galaxy S5 has been rebooted or simply powered back on or re-charged. Apple's Touch ID requires passcode or password re-entry under those conditions.
Thirdly, Samsung allows third parties to hook into their fingerprint authenticator. So, as shown in the video, they can get to Paypal and your money. Apple currently restricts Touch ID to only your Apple account. So, worst case, if Touch ID is spoofed, all an attacker can really do is buy stuff off iTunes or the App Store, much of which would be locked to your account. That's much less of an incentive to spoof prints.
There's as much tension between functionality and security as there is convenience and security. Everyone wants to do more. Hey, I want Touch ID to unlock my house. But I understand securing the process was incredible important and time-consuming for Apple. For example, they made it so that if you open up an iPhone and remove or otherwise try to tamper with the sensor it will never work again, ever. They also prevented third party access, at least for now.
Hopefully fingerprint sensors and biometrics in general can be hardened even further so that we can get both more functionality and security in the future.
For more on the Samsung Galaxy S5 and fingerprint spoofing, see:
I'm still using Touch ID all the time, because I understand the risks, the limitations, and the benefits. How about you? And if you're using a Samsung Galaxy S5, do the differences in implementation cause you to think differently about using fingerprint authentication?