Voir en

français

Computer Security: Swipes vs PINs vs passwords vs you

|

What kind of person are you? An artist, like a painter? A credit card fanatic or just “in numbers”? Cerebral, a memoriser or even a genius? An influencer, like a peacock, or just prettily self-confident? A security buff or sufficiently security aware? Or just ignorant about security and your privacy? Let’s assume for a moment that the way you unlock your smartphone tells us which.

There are many different ways to unlock your smartphone: swiping patterns, PIN numbers, passwords, biometric fingerprints or face recognition. Some are more secure, some less so. But all are better than nothing. So, let’s look at some of them.

Swiping patterns: The obvious choice on Android phones. Your favourite pattern on a 3x3 matrix. But as it should be a continuous swipe, the number of actual possibilities are quite limited, boiling down to about 20 most-used swipes. If yours is listed there, it may be time to move to another, more secure swipe. In any case, your swiping can be spied on and then tried once your smartphone is stolen.

Worse ─ although it’s probably still academic ─ a small basic sonar system combining a local loudspeaker to emit acoustic signals inaudible to humans and a microphone to record them coming back again allowed researchers to use “the echo signal […] to profile user interaction with the device”, i.e. the way your finger swipes over and interacts with the screen. They’ve shown how this sonar can be employed to help identify the swipe pattern to unlock an Android phone – reducing the number of trials to be performed by an attacker by 70%. And that’s only their proof of concept… Maybe PINs and passwords are better?

PINs vs passwords: A common paradigm of computer security is linked to password complexity. Four-digit PIN numbers are no longer state of the art. And even six digits are not necessarily sufficient. While guessing and brute-forcing is difficult, as your smartphone should have a lock-out procedure only allowing a small number of tries before introducing timeouts or even wiping your phone completely(!), PINs can be easily spied on and replayed once your smartphone has been stolen*. Or do you shield your screen as you type your smartphone PIN as you do for your credit card at an ATM? Of course, a better choice is a long and complex password or even passphrase (unless you use one of the top 10 most-used passwords). Admittedly, typing such long and complex passwords can be tedious. Enter: biometrics.

Biometrics: Still our favourite – using your fingerprint sensor or a capture of your face to unlock your phone. Your smartphone (and laptop) manufacturers went to extreme lengths to ensure that your biometric signature cannot be tampered with by your fingerprint on a piece of tape, your face in a photo or your sleeping self. And they also ensured that your biometric information is properly and securely stored using a special-purpose hardware chip (TPM: “trusted platform module”). Still, fingerprint authentication in particular has been broken into in the past for Android and Windows devices, making face recognition our favourite choice to protect access to your smartphone and all the personal (and professional!) data you store and access with it.

 

*Actually, Apple’s latest security patch also fixed some issues with this.

______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.