Why fingers make handy, if not foolproof, digital keys
In their rush to do away with problematic passwords, Apple, Microsoft and other tech companies are nudging consumers to use their own fingerprints, faces and eyes as digital keys.
Smartphones and other devices increasingly feature scanners that can verify your identity with these “biometric” signatures in order to unlock a gadget, sign into Web accounts and authorize electronic payments.
No security systems are perfect, said Anil Jain, a computer science professor at Michigan State University who helped police unlock a smartphone by using a digitally enhanced ink copy of the owner’s fingerprints.
Apple’s iPhone 5S, released in 2013, introduced fingerprint scanners to a mass audience, and rival phone makers quickly followed suit.
Jain and two associates made a digital copy of the prints, enhanced them and then printed them out with special ink that mimics the conductive properties of human skin.
Researchers at the University of North Carolina, meanwhile, fooled some commercial face-detection systems by using photos they found on the social media accounts of test subjects.
To make such theft more difficult, biometric-equipped phones and computers typically encrypt fingerprints and similar data and store them locally, not in the cloud, where hackers might lift them from company servers.
Or it might be stored in a different database; Jain pointed to the 2015 computer breach at the federal Office of Personnel Management, which compromised the files — including fingerprints — of millions of federal employees.
U.S. courts have ruled that authorities can’t legally require individuals to give up their passwords, since the Fifth Amendment says you can’t be forced to testify or provide incriminating information against yourself.
There’s a legal distinction between something you know, like a password, and something you possess, like a physical key or a fingerprint, said Marcia Hofmann, a San Francisco attorney who specializes in privacy and computer security.
“It’s bringing secure authentication to the masses,” said Joseph Lorenzo Hall, a tech policy expert at the nonprofit Center for Democracy and Technology.