- November 8, 2018
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Ask Archer, Biometrics, Cyber Crime, Hacking, Identity Theft, Mobile Devices, Posts with image
Got a security question? We’ll answer!
In our live Facebook Ask Archer show, a crew member asked, “Should I use a thumbprint or a passcode for my phone?”
Thumbprint or Passcode?
We turn to Patrick Miller of Archer International — Archer News Network’s parent company — for answers.
“I use both,” he said. “But I use them in different circumstances.”
The thumbprint is convenient and not susceptible to shoulder surfing.
It could keep your kids out of your phone, as well as a nosy stranger.
“It’s fairly secure and it’s not that easy to hack,” he said. “It’s harder to hack than someone looking over your shoulder and watching you type in your passcode.”
But the thumbprint may not protect you in every case.
Researchers at New York University created a phone app with a false keyboard image to prevent shoulder surfing. Image: NYU
Less Legal Protection
The courts are looking at whether you could be forced to open your phone for law enforcement using your thumbprint.
Generally, you don’t have to give up your numerical passcode to law enforcement.
“The PIN code is a piece of information that could basically violate your rights for volunteering information that would incriminate you,” Miller explained.
But your thumbprint may not count as information that would incriminate you.
“That’s really simplified,” Miller said. “But the reality is, you can be forced by law enforcement to open your phone with a thumbprint. Where you won’t be — or legally they can’t force you, so far, in most cases, to unlock your phone with a PIN code.”
Some people turn off their thumbprint when they travel internationally to avoid any issues at the border.
“Once I’m back through customs and I’m back in the airport after all the nonsense, I get my bags and I turn it back over to thumbprint for convenience,” he said.
“I use both. It just depends on the circumstances,” he reiterated.
Some people turn off their phone thumbprint capability when going through airport security. Image: Djedj
How It Works
Your thumbprint is converted into numbers and characters, like your password, only longer.
“What they typically do is they measure points,” explained Miller. “They map the 8 to 16 to 20 points on the fingerprint and all of those points have to match.”
“So, they’re still using a password. They’re just using a biometric component to generate that password,” he added.
“The technical term is called hashing, but we won’t get into that. There’s a lot of math and really big equations that are very frightening for most people,” he said. “So, suffice it to say they take that picture, they turn it into a string of numbers, and the numbers have to match with the picture generated again.”
Scanners find unique points in your fingerprint and convert them into digital form. Image: Ar130405
Some phones allow other biometric options, like a face scan or a retina scan.
How secure are they?
“They are the more secure than passwords because it’s a lot easier to use,” Miller said.
But they are not foolproof.
All of them, from the fingerprint to the iris scan, have been hacked.
And once you use your body print or scan, other people can have access to it.
Miller is concerned that companies working with your biometrics may not always protect them properly, for example, when they obfuscate or anonymize or encrypt your biometric data.
If they don’t do a good job, your biometrics could be vulnerable.
Some phones allow you to unlock using face recognition or other biometrics. Image credit: iStock
“If I ‘knock over’ a database, are there literally body parts, scanned body parts, in a database so that someone could reuse your fingerprint against you?” he asked.
After a data breach, you can change your password, but not your fingerprint or other body parts.
For now, your fingerprint may still be the safer route, especially for people who have no passcode at all on their phone because they believe it’s inconvenient.
“It’s actually much easier and it’s much more secure,” Miller said. “We just have to make sure that the vendors who were using those are using them in the right way.”
See more Ask Archer questions & answers: