Based on the generalization that technology becomes more advanced over time, it’s likely that many of us just assume our devices are becoming more secure too. After all, we’re constantly buying the latest devices and receiving software updates, which are supposedly patching vulnerabilities like putting caulk around a leaky faucet. However, it sometimes feels like our devices are as vulnerable as ever. We may have hoped that cyber security would become more robust and impenetrable as consumer tech progressed, but in spite of how advanced our mobile tech has gotten, it might actually be getting easier for hackers to exploit the inevitable security weaknesses in our mobile devices. Keep this in the back of your mind as we proceed.
Whether or not you care about the minutiae of mobile security, it’s likely that you care about your privacy, and that leads us into the topic of this article: biometric vs. non-biometric security. In particular, what is the best method of locking your mobile device?
Biometric and non-biometric: What’s the difference?
By definition, the term biometric refers to biological data, which can be something as accessible as a fingerprint or as intense as genetic data. However, for our present purposes, you should assume that I’m referring to biometric authentication, which is the use of a person’s biological characteristics to verify his or her identity. But the simplest and most straightforward definition is that when you’re using a biometric form of mobile security, you are your password.
For a smartphone, it works like this: when you setup biometric security, you begin by first providing a biological sample that is digitized and stored as read-only information on the device. As you might have guessed, it’s stored as read-only so it prevents the information from being modified or compromised, which is what makes it reliable despite the fact that it exists as raw data somewhere on an extremely fallible device. And when you need to gain access to the device, you have to provide another biological sample that is checked against the sample that was stored initially. If the samples match, you’ve proven your identity and gain access, but if your sample doesn’t match what’s stored, you’ve been unable to verify your identity and, therefore, get denied.
Non-biometric authentication equates to the use of a password, PIN number, or pattern as a means of verifying your identity. Our digital lives have been ruled by passwords until only very recently. We’ve grown accustomed to using them to secure our Facebook and Twitter accounts, our Gmails and Yahoos, our Amazon accounts and even our online banking. On paper at least, these non-biometric forms of authentication are considered much less secure, but are their biometric counterparts actually infallible?
To be clear, the reason that passwords are so insecure is because there are a finite number of possible alphanumeric combinations that can be used for any given password, so a hacker with the time and tenacity could, in theory, figure out your password through a process of elimination. Or else, a potential attacker could watch you input your password or pattern and, after gaining access to your device, attempt to follow along with your movements to satisfy your device’s authentication requirement. Granted, there are ways to mitigate this somewhat, including by putting a limit on the number of times in which an incorrect password can be entered, but this type of precaution is far from absolute. For this reason, fingerprint sensors are all the rage right now and are becoming a standard feature even on mid- to low-range mobile devices.
“The password you’ve entered is incorrect.”
I’m sure the question has occurred to you at some point over the course of your smartphone tenure: What’s so wrong with using a password?
But what about the capital letters and special characters I’m required to include in my password? Doesn’t that make my device more secure? Actually, no.
If the man who’s responsible for all those guidelines that are supposed to make our passwords more secure is to be believed, including the capital letters and numbers and special characters doesn’t actually make your password more secure. That guy’s name is Bill Burr, a former manager at the National Institute of Standards in Technology (NIST).
In 2003, Burr created an eight-page guide that would go on to inform the password-creating guidelines by which we’re forced to abide today. But Burr recently came clean and admitted that he had a very poor understanding of how passwords actually worked at the time, and he’s very sorry that his misguided treatise is the reason we must make these unnecessarily complicated passwords that don’t make our devices or accounts anymore secure.
Of course, while it’s more secure than using a password alone, two-factor authentication is really only useful for logging into web-based accounts and isn’t viable for locking your smartphone. If we only used two-factor authentication on our mobile devices, your smartphone would basically be unusable anytime you happened to be in a dead zone or on a flight, for instance, since two-factor authentication typically requires some type of data connection so the transmission of the temporary PIN code can be triggered. There are ways around this – like using an app on another device, or something like YubiKey – but they are impractical for every-day consumer use.
Patterns have been a very popular method of smartphone security, too. While passwords require alphanumeric input and, therefore, is a more deliberate or even tedious process, patterns are much faster and easier to do, particularly when you’re using the device one-handed.
To set up a pattern, you’re presented with nine dots arranged in three rows of three; essentially, you start by putting your finger onto your desired dot as a starting point and play a little game of connect-the-dots, drawing connecting lines to other dots to form a pattern. You can draw connecting lines between three dots, five dots, or ten dots, making the pattern as simple or complex as you’d like. Once your pattern is set, anytime you wake the display of your device, you’ll see those nine dots and can begin inputting your pattern to unlock.
In addition to being forgiving to one-handed use, people tend to like using patterns to secure their phones because they can rely on muscle memory to input their patterns and unlock their smartphones almost without looking or giving the process any thought. However, one of the biggest issues with patterns is that others can watch how your finger moves across your device’s display to decipher your pattern. It’s particularly easy since there are only nine points on your device, giving hackers much better chances of figuring out your pattern than if they were trying to detect the letters you were hitting on a keyboard for an alphanumeric password. And almost half of lock screen patterns start in the upper lefthand corner, according to some data.
Between all non-biometric forms of smartphone security, passwords are definitely the most secure, especially if you’re smart about how you make them.
However, anykind of biometrics is more secure than any kind of password, since there is basically no chance of replicating your biometric.
