I recently returned from the AFCEA Defensive Cyber Operations Symposium where one of the main topics was Assured Identity, particularly as it pertains to Mobility. The DoD’s Public Key Infrastructure (PKI) is well established as is the use of two-factor authentication via a Common Access Card (CAC). However, with the proliferation of mobile devices, CAC readers have gone out of favor.
The DoD has been searching for other methods of ensuring two-factor authentication including Derived Credentials but smartphones’ use of software encryption precludes the use of Derived Credentials with certain types of information (NIST 800-157). There has also been research at organizations including DARPA into alternate forms of authentication like the way a user walks or the way they type on a keypad (i.e., Behavioral Biometrics). These technologies are still being tested and the method of securely transmitting the information to a smartphone (e.g., Bluetooth) has not yet been determined.
But what about standard Biometric authentication, like fingerprint recognition, which was just highlighted in President Obama’s Cybersecurity National Action Plan, and is already included in many smartphones? Indeed, I recently reviewed a solicitation that included a requirement for user authentication via an Apple device’s Touch ID. As with every security related solicitation TELEGRID engineers cross referenced the requirements against the Security Technical Implementation Guides (STIGs). In this case we found that Apple’s Touch ID cannot be used and must be disabled because, according to the Apple iOS 9 Interim STIG, “Many mobile devices now permit a user to unlock the user’s device by presenting a fingerprint to an embedded fingerprint reader….they are significant potential vulnerabilities to DoD information and information systems. Disabling them mitigates the risk of their use.”
We all know fingerprints can be “lifted” (we have all seen CSI) but I always thought it was an extremely difficult task considering that fingerprints can easily be smudged and iOS has security features in place to prevent multiple incorrect attempts. But, then I found this article from 2014 about a security conference where a hacker named Starbug displayed copies of German Defense Minister Ursula von der Leyen’s fingerprint. The reason the name Starbug might ring a bell is that he was also the person who hacked the Touch ID within 24 hours of its release. The amazing thing about this effort was that the hacker copied the fingerprint from high resolution photographs of the Defense Minister. Starbug did not even need to be near the Defense Minister to copy her fingerprints.
Now we understand the investment in Behavioral Biometrics and the potential they have for securing two-factor authentication. Until they are approved, however, I will continue to use my wedding anniversary date as my password because, if I can’t remember it, what are the chances of a hacker stealing it?
Interesting side note: I came across this court case when I was doing research for this post. I did not know how to include it but thought it was worth a mention. In 2014 a Virginia court found that the police can force you to surrender your fingerprints in order to unlock your phone. According to Judge Frucci, a fingerprint is physical and therefore is like your DNA, which must be provided, as opposed to a memorized password pin which does not have to be provided since it falls under your Fifth Amendment right to avoid self-incrimination.
Eric Sharret is Vice President of Business Development at TELEGRID.
Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.