A
News Business Fingerprint security convenient, but not flawless

Fingerprint security convenient, but not flawless

Barcelona, Spain: Samsung's upcoming Galaxy S5 smartphone will be at least the third to have a fingerprint sensor for security but it's alone in letting you use that for general shopping, thanks to a partnership

Are you really getting security?

That depends.

It's more secure than not locking your phone with a passcode at all. It's also more secure than using a four-digit passcode, as there's a greater chance of guessing that than the particular hash used. But there's never a guarantee.

Shortly after Apple started selling the iPhone 5s, a German hacking group said it managed to bypass the fingerprint system by using a household printer and some wood glue to create an artificial copy of a genuine fingerprint.

The group said the fingerprint ID system was easy to trick, though it's not something easily pulled off in the real world. You need to have that specific phone and the fingerprint, for one thing. And then you compromise only that one phone.

Security experts point out that once a finger's compromised, you can't replace it the way you can a passcode. That doesn't mean someone can use an S5 breach to unlock an iPhone, though, as the hash formulas used are typically proprietary and kept secret.

But it's not a threat to take lightly, either.

"Biometrics work very well for identifying something, but whether you can use it for authentication or not depends on the implementation," says Jeremy Bennett, chief mobile architect for Intel Corp.'s security business, McAfee.

He prefers dual security - using the fingerprint with something else, such as a passcode.

Should you use it?

PayPal officials point out that behind the scenes, it's still performing the usual anti-fraud checks. If the account is used to buy a television in California just five minutes after you buy coffee in New York, it'll suspect something is up.

If the phone is lost or stolen, or your fingerprint is somehow compromised, you can contact PayPal to de-register that device from future use.

Drew Blackard, director of U.S. product planning at Samsung Electronics Co., says other forms of authentication have their flaws, too. Android phones let you swipe a pattern on the screen in lieu of a passcode, but Blackard points out it's possible to guess the pattern by examining the screen for smudges.

It's not bulletproof security, but it's more secure than existing methods, he says.

Despite the risks, Bennett says he sees potential.

"If it results in more people locking their phone," he says, "it improves security."

Latest Business News