8

I'm given a choice between two banks's authentication procedures and I need help choosing the most secure and convenient option.

Option "hardware token": Authentication into the web platform is done via username/password but transactions are performed via a combination of PIN and a onetime hardware token key.

Option "fingerprint": Authentication into the web platform is also done via username/password but transactions are performed by authenticating into a software token app on the phone via a fingerprint and getting a onetime token key.

My understanding is that the hardware token option is more secure because phones and laptops nowadays can easily be infected with keylogging and other kinds of software to eavesdrop on my passwords. However, the fingerprint authentication is a biometric form of authentication and as far as I know can only be spoofed with a physical fingerprint and not software, thus possibly providing the same level of security.

Another weak point could possibly be the risk of stealing the software token's seed.

What do you think I should choose? Is hardware token still the way to go or is biometric identification a sane alternative in my scenario?

Vladimir
  • 613
  • 1
  • 6
  • 7
  • 5
    Would you prefer your token key to be stolen, or your finger? ;-) – Toby Speight Nov 15 '17 at 14:30
  • 1
    A hardware token that stores a site's cert or key (like U2F) is not phishable, whereas a TOTP one is. Also, you can't change your fingerprint when it gets stolen – Neil McGuigan Nov 15 '17 at 20:11
  • You need to provide more details. How does the hw token work? Is it just stream of time-based password, challenge-response codes, or usb token plugged to the client computer? How does the app work? Does it provide info about what are you authorizing? Does it work online, offline or anything inbetween? Can it use other measures with addition to the fingerprint? is it based on push services, SMS? – Agent_L Nov 16 '17 at 10:28
  • Compromise of fingerprint will put certain things into question for bank to avoid covering your losses. Were you using jailbroken/rooted device at the time? Did you have any malware on your phone? Was exploit because of the OS providers’ API? Shortly it is easier for them not to pay you or investigate longer to avoid paying you. You wouldn’t want to go through that. If your hardware token alone is physically stolen, that is not a problem provided they don’t have your password. If any bank’s hardware token was cracked, that would be worldwide news. I would love to know more if it was ever done. –  Nov 20 '17 at 05:13

5 Answers5

14

short: I'd go for the Hardware token.

Long version: First things first: People have proven that it is possible to tamper with fingerprints in multiple ways. Probably the most common way is to recreate it from a fingerprint with a printer, but there are more options. You can see some of them in the article 7 ways to beat fingerprint biometrics. There is a lot more than that though.

But also HW tokens have been proven "crackable". Its a little hard to tell from the little information we have. It really depends on the token. The much more important bit in this consideration (at least for me) is this: If your HW token's seed gets stolen, you can change it. In case your fingerprint (or its digital representation) becomes publicly available your options are pretty limited.

If it really uses the fingerprint to authenticate at the system this should be your consideration. But if this is used on your phone it might just really be a token that is in your phone and secured by the OS using the fingerprint reader to replace the password. In this case your phone is your HW token but it has no proper read protected memory such as the token (should have). In this case: I'd go for the HW token as well.

Toby Speight
  • 1,214
  • 9
  • 17
Ben
  • 2,024
  • 8
  • 17
  • 3
    The fingerprint isn't the token - its impossible for it to be using modern technology. The actual fingerprint can't even be read directly by an app on iOS. The token is downloaded to the application on setup (when users have to enter full credentials and often a one time code from the bank). It is stored in the OS keychain encrypted with the users credentials until the app requests it - which prompts the OS to ask the user to authenticate with their fingerprint. – Hector Nov 15 '17 at 10:41
  • That is exactly what I thought but wanted to leave it open just in case they were using some crazy "We-built-our-own-but-its-android-only"-solution. – Ben Nov 15 '17 at 10:52
  • If they use the fingerprint directly to generate the token then any app with access to the fingerprint reader / anyone with an image of the fingerprint could construct the token from it. Considering how frequent password reuse is any bank that did this would be inundated with fraudulent transactions very quickly. – Hector Nov 15 '17 at 10:56
  • 2
    +1 for "you can't change your fingerprint, if stolen". – Mike Ounsworth Nov 15 '17 at 14:59
  • 7
    @MikeOunsworth - although you've got 10 of them to cycle through before you start getting inventive with what other body parts will scan ;) – Hector Nov 15 '17 at 15:01
  • 4
    @Hector Not sure whether to upvote or flag... :P – Mike Ounsworth Nov 15 '17 at 15:02
  • 2
    @MikeOunsworth I don't think there's anything flag-worthy about resorting to toeprints – Sabre Nov 15 '17 at 19:49
  • The hardware token is very basic. It just generates a one-time password which is the entered together with a PIN into the online banking. Maybe it's wrong I'm more concerned with online attacks than those to do with physically stealing a token or phone. – Vladimir Nov 16 '17 at 15:44
6

The fingerprint doesn't directly protect the token (it can't - we to date have no reliable way to consistently scan a fingerprint). The OS encrypts the token with your credentials. An API call into the OS allows applications to request the token which forces the user to re-authenticate.

So the risks on the mobile application come down to -

  • How much do you trust the operating system on your device?
  • (Related to above) How much do you trust the sand-boxing on the device to stop applications reading each others memory space.
  • How much do you trust the application not to place the token anywhere accessible to other applications.
  • How much do you trust the fingerprinting mechanisms to stop the phone/app being cloned (Personally I would view this as close to zero).

You also need to counteract this against how high is the risk? I.e. were the app mass exploitable would the bank cover losses? And are you a high risk target (for example a billionaire probably has a higher attack risk than average Joe).

For the vast majority of users I would argue the app when paired with a strong unique password should be viewed as secure enough. Were the app to be compromised the bank would likely take the hit and refund clients.

A hardware token in theory should be more secure - its effectively an airgapped system. For a private/public key system the private key never has to leave the device. However there have been historical issues with manufacturers design decisions and implementations.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • Both top answers were helpful but this one gave the most insight into the factors affecting the decision. – Vladimir Nov 16 '17 at 15:58
0

No option is inherently better than the other.

  • phone token is vulnerable to malicious apps on your phone, but it can secure whole process.

  • hardware token is pretty invulnerable itself, but the whole chain usually remains unsecured against phishing, MiM attack and malicious apps on your PC/browser.

While the hardware token itself is secure, the problem is that typically it doesn't tell you what kind of operation you're authorizing. It's very easy for an attacker to trick the user into generating OTP for him. That was pretty common attack on hardware-token secured banking few years ago, major hole was requiring OTP for login - it was trivial to exploit by falsely claiming that first attempt was wrong. IF the software token provides key information about the operation being authorized, this risk is eliminated.

So the question rather boils down to "what part of the chain is easier to secure?" If you're sure about security of your computer with browser, it's connection to the bank and (most importantly) your vigilance against phishing, then hardware token is better. If you don't install apps from untrusted sources, then the phone is probably easier to secure.

If the mobile token works offline (based on challenge-response codes) and you can dedicate a phone that's permanently offline after activating token app (airgap), it's by far the most secure solution (albeit most cumbersome).

Fingerprint is not the best security-wise. Correctly implemented password or PIN would be more secure. But if the data is stored properly in phone's hardware secure enclave, it's good enough.

Basically, both options can be implemented right or wrong.

Agent_L
  • 1,921
  • 14
  • 13
-1

For this multi-factor authentication I would choose the fingerprint option, for the ease of use (you don't have a thing that you might misplace). This is assuming that as the bank is offering both they believe them to both provide adequate security and would provide insurance for a successful attack on either. I don't think a biometric finger scanner app is as secure as a hardware token, as there exists online attacks if the mobile is compromised for example. The hardware token would have to be physically stolen from you for any attack that I am aware of (as another answer pointed out it should provide an air gap between the internet and the secret it contains).

Also with the fingerprint option you still have the chance of this happening. It's an old story but it still gives me chills.

daniel
  • 774
  • 3
  • 12
  • 2
    "believe them to be equally secure" - this is not necessarily true. What they believe is that both are secure enough. "a biometric finger scanner app could probably be simulated by some computer online" - the fingerprint only authenticates you to the OS which stores the token in an encrypted key-chain. If you could extract this token you could do anything the app could. – Hector Nov 15 '17 at 10:39
  • 2
    I won't downvote, but since fingerprint scanners provide next to no security (you can use a fingerprit lifted from the screen to spoof it), recommending someone use it is a little inappropriate for a security forum. – Mike Ounsworth Nov 15 '17 at 14:59
-1

It's actually a very easy choice.

Hardware token: You can lose it, or it can get stolen. But if that happens, it can be replaced.

Fingerprint: Very unlikely to lose, unlikely to be stolen. Can be copied without you noticing. Cannot be replaced.

Security is always relative. Today this one is more secure, tomorrow someone discovers a new attack on it. But the basic facts don't change.

If you do all or almost all your banking from home, where you can keep the hardware token safe, take that. If you do a lot of it on the road or from various places, the ease and convenience of the fingerprint wins out. This is fine IMHO from a security POV because with the fingerprint alone nobody can steal your money (still would need the username/password combo). Fingerprint alone I wouldn't consider very secure.

Tom
  • 10,124
  • 18
  • 51
  • Although I would think in the same way you replace a lost/stolen hardware token, you can switch from a fingerprint to a hardware token. So if the fingerprint were less likely to be lost/stolen then why not wait until that happens and then switch to the more likely to lose hardware? – DasBeasto Nov 15 '17 at 15:54
  • Because if your fingerprint gets copied, you will most likely not notice. The absence of a hardware token, you will. The scenario that your actual finger gets stolen/cut actually happened a few times, but it's not exactly a common or realistic scenario. – Tom Nov 15 '17 at 18:32
  • Not really relevant in this case because if somebody has access to the fingerprint, that won't give them access to the bank account. To access the bank account, they need a secret key which is held by the phone and which the software on the phone only discloses if somebody presents the fingerprint, if the software has a bug or if somebody manages to extract the key from the phone (which may be more or less difficult depending on the technology used). – Gilles 'SO- stop being evil' Nov 15 '17 at 20:46
  • Don't law enforcement forensic teams copy fingerprints all the time? – Kenneth K. Nov 15 '17 at 23:12