As expected, the fingerprint swiper in the new Samsung Galaxy S5 is just as susceptible to spoofing by a fake fingerprint, just like Apple's Touch ID on the iPhone 5s, and pretty much every similar fingerprint sensor on the market. But it also looks like there are few things Apple did right that Samsung might want to look into incorporating in the future.
Biometrics are part of the same classic trade-off of convenience for security. They're not as good as a long, strong pseudo-random password but they're much quicker and easier to enter. (And in a perfect world we'd have the option for passcode/word + fingerprint to get some even more secure multifactor authentication going...) Here's what I wrote about Touch ID last year following similar spoofing attacks, and the poor reporting that followed them:
- Is Touch ID secure enough to keep your iPhone 5s safe?
- Terrible reporting about iPhone security leads to people being less secure. Great job, media!
And the Galaxy S5 after announcement:
It looks like Touch ID has educated the market at least enough to take the brunt — and the letters from Al Franken — off Samsung's back. However, according to the SRLabs video above, however, there are some risks involved with Samsung's technology that Apple has chosen to minimize or avoid.
Firstly, Samsung apparently allows unlimited attacks on their fingerprint sensor. You can try fingerprint after fingerprint and it will happily let you. Apple's Touch ID limits you to 5 unsuccessful attempts, then demands a passcode or password. If someone makes a perfect spoof immediately, that won't matter. If not, or if it doesn't register properly the first few times, it could help.
Secondly, Samsung allows fingerprint authentication even after the Galaxy S5 has been rebooted or simply powered back on or re-charged. Apple's Touch ID requires passcode or password re-entry under those conditions.
Thirdly, Samsung allows third parties to hook into their fingerprint authenticator. So, as shown in the video, they can get to Paypal and your money. Apple currently restricts Touch ID to only your Apple account. So, worst case, if Touch ID is spoofed, all an attacker can really do is buy stuff off iTunes or the App Store, much of which would be locked to your account. That's much less of an incentive to spoof prints.
There's as much tension between functionality and security as there is convenience and security. Everyone wants to do more. Hey, I want Touch ID to unlock my house. But I understand securing the process was incredible important and time-consuming for Apple. For example, they made it so that if you open up an iPhone and remove or otherwise try to tamper with the sensor it will never work again, ever. They also prevented third party access, at least for now.
Hopefully fingerprint sensors and biometrics in general can be hardened even further so that we can get both more functionality and security in the future.
For more on the Samsung Galaxy S5 and fingerprint spoofing, see:
I'm still using Touch ID all the time, because I understand the risks, the limitations, and the benefits. How about you? And if you're using a Samsung Galaxy S5, do the differences in implementation cause you to think differently about using fingerprint authentication?
We may earn a commission for purchases using our links. Learn more.
Twitter opens up voice tweets to more iOS users
After letting a limited group of people test voice tweets in June, Twitter is now opening the option up to more iOS users.
Microsoft testing Word and Excel trackpad support for iPad
Microsoft has rolled out testing for trackpad support within its Word and Excel apps for iPad.
iPhone 12 64GB model incoming, says leaker, shipments start next week
Leaker Jon Prosser has confirmed that the iPhone 12 mini and iPhone 12 will both feature a 64GB storage option, despite previous reports Apple would be ditching the smallest configuration this year. Apple's iPhone 12 Pro lineup will start at 128GB.
All the limited and special edition Nintendo Switch consoles you can buy
Don't want your Nintendo Switch to look like everyone else's? These limited edition Switch consoles will stand out in a crowd—and you can buy one today.