11

We are working on the development of a banking app and for customers. We need to implement TouchID in Apple's iOS and a fingerprint check in Android.

Firstly, what are the possible security risks and considerations related to this technology? Secondly, how can I secure the app/use the technologies in a safe way?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Kris
  • 211
  • 2
  • 3
  • 28
    Remind your users to change their fingerprints at least once a month. – Jost Jun 20 '17 at 10:18
  • Never use biometric for remote access, you will probably change your mind when reading answers here : https://security.stackexchange.com/questions/144428/how-secure-is-a-fingerprint-sensor-versus-a-standard-password/144436#144436 – elsadek Jun 20 '17 at 12:16

4 Answers4

8

The problem is that the server cannot store a hash of the fingerprint, because the fingerprint can come with slight variations that would give a completely different hash. And if your fingerprint is compromised (either by taking it on a object you have touched or directly from the server) you can hardly change it - ok you can use up to ten fingers.

But a fingerprint can be a correct way to unlock a private key, because it become close to a 2FA authentication: something you have (the private key) and something you are (the fingerprint). And in case of compromission, you can always revoke the key. That means that to securely use fingerprint for authentication, you should combine it with X509 certificates.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 3
    I don't understand how unlocking a private key thanks to fingerprint is 2FA. You only provide a fingerprint to obtain the crown jewels. Maybe the term "unlocking" is what creates confusion, not sure :) – niilzon Jun 20 '17 at 08:26
  • @niilzon: You are right, it not really 2FA. Post edited – Serge Ballesta Jun 20 '17 at 09:59
  • Why could they not use another hashing algorithm like imagehash (https://github.com/jenssegers/imagehash) for the problem? – Thomas Jun 20 '17 at 11:27
  • 1
    @ThomasMoors: I assume you are speaking of perceptual hashing. First this has not the properties of cryptographic hashing and storing a perceptual hash will not be much different (on a security point of view) from storing the fingerprint itself. Next AFAIK it is still a work in progress... – Serge Ballesta Jun 20 '17 at 11:48
  • Or if you were one of the millions of Federal employees/contractors impacted by the OPM breach, all 10 of your fingerprints are possibly already in the hands of hackers. – Ogre Psalm33 Jun 20 '17 at 12:52
  • On iPhones, your fingerprint is verified inside the onboard Hardware Security Module. If successful, the API call made by whatever app into iOS itself returns success. At no point does the app or its server get any information about the fingerprint. – jacobbaer Jun 23 '17 at 04:24
4

The risk greatly depends on the type of fingerprints reader you have on your phone/laptop, on top of any software consideration.

http://www.androidauthority.com/how-fingerprint-scanners-work-670934/

According to that article, the most basic fingerprint scanner can be fooled just with an image of your fingerprints, the most advanced requiring something like 3D printing your fingerprint with high precision.

No matter what security you will put on your device, bear in mind that the kind of scanner your customer will use will greatly impact whether or not that kind of authentication will be secure.

Kaël
  • 352
  • 2
  • 10
4

For TouchID, the fingerprint doesn't leave the phone (as stated by Apple when they introduced touchID).

The API called LocalAuthentication and is relatively straightforward: https://developer.apple.com/documentation/localauthentication

This tutorial is also well explained: http://www.appcoda.com/touch-id-api-ios8/

As stated by the others, the issue resides in the fact that you can't change your fingerprint and that the verification is also not exact. Also, the fact that you cannot change your fingerprint can be a privacy issue.

Gp2mv3
  • 141
  • 2
3

Adding to the other answers: Never trust the clients. if the fingerprint authentication is done on the device, remember that anyone can use a rooted or custom device which emulated a fake fingerprint reader which always matches everything.

JanErikGunnar
  • 131
  • 2