Biometric and non-biometric: What's the difference?
The term biometric refers to biological data, which can be something as accessible as a fingerprint or as intense as genetic data. For our present purposes, though, you should assume I'm referring to biometric authentication, which is the use of biological characteristics to verify your identity. But the simplest and most straightforward definition is that when you're using a biometric form of mobile security, you are your password.
For a smartphone, it works like this: when you setup biometric security, you begin by providing a biological sample that is digitized and stored as read-only information on the device. By storing it as read-only data, there's much less potential for the biometric reading to be compromised, which is what makes it reliable despite the fact that it exists as raw data on an extremely fallible device. And when you need to gain access to the device, you have to provide another biological sample that is checked against the sample that was stored initially. If the samples match, you've proven your identity and gain access, but if your sample doesn't match what's stored, you've been unable to verify your identity and, therefore, get denied.
Non-biometric authentication equates to the use of a password, PIN number, or pattern as a means of verifying your identity. Our digital lives have been ruled by passwords until only very recently. We've grown accustomed to using them to secure our Facebook and Twitter accounts, our Gmails and Yahoos, our Amazon accounts and even our online banking. On paper at least, these non-biometric forms of authentication are considered much less secure, but are their biometric counterparts actually infallible?
"The password you've entered is incorrect."
I'm sure the question has occurred to you at some point over the course of your smartphone tenure: What's so wrong with using a password?
As mentioned above, there are a finite number of different passwords that any of us can use. Of course, the likelihood that a stranger would be able to arbitrarily guess your password is extremely small. However, if the perpetrator is someone you know, and if you've chosen a password that's somehow related to you or your life, that person has much better chances of overcoming your device's security. In fact, the potential to be hacked by a loved one is one of the biggest factors when it comes to choosing the right security method for your device, and that's a point we'll come back to in a moment.
But what about the capital letters and special characters I'm required to include in my password? Doesn't that make my device more secure? Actually, no.
If the man who's responsible for all those guidelines that are supposed to make our passwords more secure is to be believed, including the capital letters and numbers and special characters doesn't actually make your password more secure. That guy's name is Bill Burr, a former manager at the National Institute of Standards in Technology (NIST).
In 2003, Burr created an eight-page guide that would go on to inform the password-creating guidelines by which we're forced to abide today. But Burr recently came clean and admitted that he had a very poor understanding of how passwords actually worked at the time, and he's very sorry that his misguided treatise is the reason we must make these unnecessarily complicated passwords that don't make our devices or accounts anymore secure.
We now know that using a string of simple and unrelated words is actually more secure than using a shorter password in which there is a mix of upper- and lowercase letters, numbers, and special characters. There's a well-known comic strip that explains it best, illustrating how a computer would take 550 years (at 1,000 guesses per minute) to figure out a password consisting of four simple words like "correcthorsebatterystaple" while something like "Tr0ub4or&3" would take just three days at the same rate.
You are the password
A capacitive fingerprint sensor consists of lots of tiny and tightly-packed capacitors that are extremely sensitive to changes in electric charge. When you place your finger on the sensor, it creates a virtual image of your fingerprint by inferring the pattern from the different levels of charge between the ridges and valleys of your print. While something like an optical fingerprint scanner can be fooled with a high-resolution photo of your fingerprint, capacitive scanners are more secure because they measure the actual physical structure of your fingerprint. As such, using your fingerprint to secure your device is probably going to be the most secure method available to you. But how secure is it really?
Truth be told, we aren't yet certain how secure fingerprint authentication actually is. Of course, there are estimates, including Apple's estimate of a 1-in-50,000 chance of a false match on a smartphone with just one fingerprint registered. If all ten fingerprints are registered (which isn't recommended), the chance of a false match increases to 1-in-5,000.
Google hasn't released any estimates regarding the reliability of fingerprint sensors for securing Android devices. Professor Rogers mentioned that, while the base hardware and software is often very solid, there can be some major changes made to the algorithms by OEMs as the Android operating system passes through numerous hands between the implementation of biometric security at Google and the launch of a mobile device with biometric sensors. As Rogers put it simply, the algorithms that facilitate biometric security have to "deal with lots of different humans."
So is biometric authentication better than using a password? For sake of example, let's pretend we're hackers and we want to hack someone's phone. We know this particular phone requires an eight-character password that can include upper- and lower-case letters, numbers, punctuation, and special characters, and it must have at least one of each. If we do some mathematical gymnastics, there are 3.026 × 10^15 possible password combinations. So which is statistically more likely, a false positive from a fingerprint sensor or figuring out the correct password?