Expert response to banks using fingerprint technology

An article published on the BBC news website reports that two banks are allowing their customers to access accounts on their smartphones using fingerprint recognition technology. The School of Computing’s Eerke Boiten responds to the use of this technology:

‘If users “must activate the feature with their security information, but would only need to use Apple’s Touch ID thereafter”, then there is some scope for worry.

‘Biometric sensors like fingerprint scanners need to tune their acceptance criteria to balance false acceptance (the sensor says it is the person, but really it isn’t) versus false rejection. Unavoidably, one goes down when the other goes up.

‘People don’t want to be locked out of their own phones – so for this kind of sensor, false rejection rates are set low, making false acceptance rates relatively high. Apple don’t seem to have published these rates, but there also aren’t reports out there of people unlocking
others’ iphones. Funnily enough, in this context it helps for iPhone thieves to belong to a large criminal organisation: more fingers to try!

‘In theory, the sensor could be used in a 3-factor authentication system for banking, requiring something people know (password), something they own (the mobile), plus something they are (the fingerprint). That must be more secure than just using the first two of those like many electronic banking systems do currently.

‘However, the suggestion here is that the password would be no longer necessary after first registration – that brings us down to 2 factors. These iPhone fingerprint scanners were also spoofed within weeks of release so either spoofing or false acceptance rate will seriously undermine the “something you are” factor once the mobile has been stolen.

‘All in all it looked like having a potential for increasing security, but (presumably because of an emphasis on usability) it creates new security risks of a different kind.

‘Aside: it is interesting that this would now be possible, as Apple were originally saying they wouldn’t make this available for third party use. It does erode Apple’s own iphone security by making it more financially attractive for criminals to try to break TouchId.’