Android OEMs Say “Me Too” to Fingerprint Scanners, to Share Data Via Cloud

It took hackers a short weekend to circumvent the fingerprint sensor unlock mechanism on Apple, Inc.’s (AAPL) new iPhone 5S smartphone.  The rapid breach of the new feature — which Apple came by via its acquisition of touch-security firm Authentec, Inc. in 2012 — was an embarrassing, to say the least.  Prior to the hack Apple had made the sensor out to be a hacker-proof security solution, with marketing SVP Phil Schiller boldly billing it as “a simple and secure way to unlock your phone with just a touch of your finger.”

I. FIDO — An Alternative to Touch ID?

But despite that lesson in the inherent insecurity of today’s flawed biometric security solutions, it appears that some OEMs who use Google Inc.’s (GOOG) Android operating system are eager to get their fingers on fingerprint scanners of their own.

A group call the Fast IDentity Online Alliance (FIDO Alliance) has compiled 48 top tech companies who look to role out a comprehensive standard for mobile fingerprint security, which will allow users to not only unlock their devices and access marketplaces (as Apple’s Touch ID allows), but also connect to secure Wi-Fi and authenticate into web portals via a fingerprint scan.

Apple’s fingerprint sensor has intrigued the public — and Android rivals. [Image Source: Apple]
The FIDO Alliance include Google itself, as well as two top Android phonemakers — the Lenovo Group, Ltd. (HKG:0992) and LG Electronics, Inc. (KSC:066570).  Embattled Canadian phonemaker BlackBerry, Ltd. (TSE:BB) is also a member.

II. Cloud Era Two-Factor Authentication Sounds Good, on Paper at Least

One promising thing is that the FIDO Alliance’s technical outline suggests that members aren’t looking to use fingerprint scans for single-factor authentication, as Apple’s Touch ID is.  That’s perhaps one of the reasons why Apple’s Touch ID has not yet been deemed secure enough to receive FIDO certification (although it’s unclear whether Apple wants it).

In an interview with USA Today, FIDO Alliance president Michael Barrett states:
The intention of FIDO is absolutely that it will allow consumers to have access to mobile services that they can use with very low friction, while keeping good security.  That’s explicitly what we want to build.

Our view is that it’s possible Apple might choose to start using FIDO, but that’s probably a couple of years out.

It’s possible that future Android smartphones could still prompt users for a PIN — a short numeric password — while using a fingerprint scan as a second factor to enhance security.  Such an approach could mitigate much of the criticisms against Touch ID, but it also falls short of the one-touch solution Apple is promising.  It’s possible that some Android phonemakers may be tempted to implement similar one-touch solutions, even if it appears infeasible to implement such a solution a truly secure manner.

On the other hand, some security is better than none.  Incredibly, Apple claimed that its internal usage data showed that nearly half of users didn’t password protect their phones.  Fingerprint scanners may be an imperfect solution that can be circumvented by a motivated, technically skilled hacker — and can expose your device to easy access by law enforcement — but they do provide a degree of security against unskilled members of the public.

Further, the FIDO standard is aiming to allow for a broad set of biometrics-based authentication mechanisms, including retina identification, facial recognition and more.

III. But is the NSA Spying On Your Prints?

Android’s fingerprint sensors are expected to roll out in early-to-mid 2014.  The FIDO Alliance is tapping a Silicon Valley startup named Nok Nok Labs to handle the server traffic for authentication of fingerprints.  Phil Dunkelberger, CEO of Nok Nok Lab, “We didn’t create the current authentication mess overnight, so it’s going to take us a while to fix it.  We need to educate the marketplace that it is possible to make things more secure for business and easier for consumers, while still ensuring that legitimate privacy concerns are respected.”

Apple stores data locally, which perhaps limits its utility, but makes it safer from prying government eyes. [Image Source: Apple]
But while the potential for two-factor authentication and a broader set of compatible services sounds like a good thing, this cloud-based approach brings new, serious downsides.  Most notably, given recent revelations that the U.S. National Security Agency (NSA) regularly seizes much of the world’s internet traffic — frequently even illegally inspecting the communications of Americans — such efforts will likely be perceived by a degree of cynicism.  After all, Touch ID may be imperfect, but at least it’s local and doesn’t pass a copy of your fingerprint to an NSA databases (at least not that we know of).  

Some fear fingerprint authentication will become yet another treasure in the NSA’s data trove.
[Image Source: The People’s Cube]   Such thoughts aren’t paranoia — the NSA has reportedly demanded master encryption keys from most top tech firms.  Additionally, the agency allegedly spent $250M USD to weaken global encryption — making it easier to seize sensitive data — such as fingerprint passwords.  In other words, there’s no free lunch when it comes to biometrics as the mobile industry’s top minds try to balance security, utility, and privacy concerns.