Though the FBI has already hacked into the iPhone of suspected San Bernardino shooter Syed Rizwan Farook, there’s something missing — Mr. Kokumai, President of Mnemonic Security, Inc explains the reality of backdoor in our smartphones.
It appears that something crucial is overlooked in the heated debates about the backdoor on smartphones, which is the focus point of the recent events with Apple and the FBI that have drawn a lot of attention worldwide.
Hitoshi Kokumai, President, Mnemonic Security, Inc. would like to point out that there already exists a backdoor on many of the latest smartphones, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features which are easily collected from the unyielding, sleeping, unconscious and dead people.
Let us imagine that we are watching two models of smartphones – Model A with Pincode and Model B with Pincode and Fingerprint Scan. Which of the two models do you think is secure?
– When you hear that Model A is protected by Pincode while Model B is protected by both Pincode and Fingerprints
– When you hear that Model A can be unlocked by Pincode while Model B can be unlocked by both Pincode and Fingerprints
– When you hear that Model A can be attacked only by Pincode while Model B can be attacked by both Pincode and Fingerprints
Is your observation the same for all the 3 situations?
Now let us imagine that there are two houses – (1) with one entrance and (2) with two entrances placed in parallel, not in tandem. Which house is safer against burglars?
Every one of us will agree that the answer is plainly (1). Nobody would dare to allege that (2) is safer because it is protected by two entrances. Similarly, the login by a Pincode/password alone is secure than the login by a biometric sensor backed up by a fallback Pincode/password.
Both of the two or Either of the two?
Biometric products could help for better cyber security ONLY WHEN it is operated together with a password by AND/Conjunction (we need to go through both of the biometrics and the password), NOT WHEN operated with a password by OR /Disjunction (we need only to go through either one of the two) as in the cases of the above-mentioned house with two entrances and most of the biometric products on the market.
Biometrics and passwords operated together by OR/Disjunction only increase the convenience by bringing down the security. Mixing up the case of OR/Disjunction with that of AND/Conjunction, we would be trapped in a false sense of security (We wrongly feel safer when we are actually less safe).
Two-factor authentication or “below-one” factor authentication?
Biometric products operated together with a fallback password, which can be compared to a house with two entrances placed in parallel (not in tandem), may be defined as a “below-one” factor authentication because they offer the level of security lower than a password-only one-factor authentication.
There is nothing wrong in saying that a house with two entrances is more convenient than a house with one entrance. But shouting “A house with two entrances is safer against burglars than a house with one entrance” would be just silly.
Similarly, there is nothing wrong with a biometric product operated with a fallback password when the product is offered as a tool for increasing convenience. However, it would not be just silly but unethical and antisocial to make, sell and recommend those products as a tool for increasing security.
This misconception is sadly supported and spread by a number of big businesses, leading financial institutions and government agencies as well as not a few security professionals and globally known media. They are misled and in turn misleading, with the chains of vicious cycles growing exponentially.
This is not an issue of the relative comparison between “good” and “better”, but the absolute judgment of “harmful” against “harmless”. Something must be done before such critical sectors as medicine, defense and law enforcement get contaminated in a horrible way.
As analysed above, the authentication by biometrics comes with poorer security than pin code/password-only authentication in most cases. A false sense of security is often worse than the lack of security. I would like to put forward the suggestions below.
– The vendors of those smart devices, who are conscious of privacy and security of consumers, could tell the consumers not to turn on the biometric functions.
– Consumers, who are concerned about their privacy and security, could refrain from activating those biometric backdoors.
– The deployment of biometric solutions could instead be recommended where consumers can accept “below-one” factor authentication in return for better convenience as the case may be.
March 30, 2016