There was a time, long ago, when all a phone was designed for was for us to make calls, send off a few texts and play a few games of Snake. But today, when so much of our data-rich lives live inside the shells of our smartphones, it’s never been more important to keep all our phones secure. Thankfully, it’s now so easy to lock up your phone that everyone should be doing it.
Along with passcodes, passwords and patterns, smartphone manufacturers are now implementing biometric security processes such as Face ID and iris scanning onto Android and iOS devices to give users a quicker, more convenient way of unlocking their phone.
With there now being such a veritable smorgasbord of ways to unlock today’s phones, is there one method which is the most secure? And how do you make your chosen phone-locking method the most secure it can possibly be?
The best form of defence is your passcode, PIN or password
Passcodes, PINs, passphrases and patterns act as the core defence to any biometric methods of unlocking your phone. But these options aren’t all equally secure. While none of the security methods are completely fool proof, the passcode or PIN seems to be the best defence against attackers wanting to access your phone.
“This is a complex problem, but for people who are not security experts, a PIN is pretty good,” says Ross Anderson, professor of security engineering at the University of Cambridge. While passcodes and PINs aren’t a requirement on devices running either iOS or Android, unless you use Face ID, Touch ID or an iris scanner, setting one up is just a sensible move to make. If only for the fact that the PIN is the last defence before someone can access your phone.
On iOS devices, the passcode is encrypted and then stored inside the processor in what Apple calls the ‘secure enclave’. Apple’s tall wall garden of encryption is what led to the high-profile spat between Apple and the FBI when the company refused to build in an encryption backdoor to its devices in 2016. Apple has no way of viewing anything stored in the enclave or editing it. When you enter in your passcode, iOS asks the enclave whether what you’ve entered matches what’s in its knowledge base, granting you entry if it is. No one can access the passcode because of where it is stored.
Android manufacturers have only recently begun storing sensitive data in an enclave. As of 2019, 89 per cent of Android phones have a secure hardware chip for storing data, according to a report by Counterpoint Research. If it’s not stored in the enclave, then it will most likely be stored somewhere in the software, which Anderson says can be cracked if the attacker is motivated enough.
The chances are that a hacker has immediate access to your face, fingerprint or iris is fairly low. And even if they did, they wouldn’t need your biometrics to access your phone, all they need is your passcode. That’s why it’s even more important to make sure that the smartphone’s last defence is a good one. So, how do you make sure that your passcode or PIN is as secure as it can possibly be?
In a study conducted in 2012, Anderson found that the majority of people use PINs that represented dates, years, repeated digits and even snigger-worthy PINs involving the digits six and nine. "People tend to choose pins which correspond to birthdates. If you see someone with a 12-year-old kid, a reasonable PIN to try might be 2008, and then 2007, and then 2009," Anderson adds. "People also tend to choose pins that are easy to put in quickly by feel, like 1232 or 7898."
So, avoiding the most common PIN numbers and passcodes is the most sensible way to make your phone more secure. This includes not tying it into something easy to guess, such as dates of birth. And whilst you might expect six-digit passcodes to be more secure than 4-digit passcodes and PINs, that might not actually be the case.
Researchers from Ruhr University, Bochum, Max Planck Institute for Security and Privacy and the George Washington University, found that six-digit passcodes were only marginally more secure than 4-digit passcodes, and in some cases were easier to guess. The research will be published later this year at the IEEE Symposium on Security and Privacy. The researchers speculate that the reason 6-digit PINs are only marginally more secure than 4-digit PINs is because the sequence is longer, and so people don’t want to spend too much effort on it. They assume, because of its length, that the PIN is already secure enough.
As for passwords, well, the hassle of entering a strong, long, alphanumeric string into a small smartphone keyboard could just put people off of choosing something more secure altogether. In reality, no one would want to spend multiple seconds in the day entering in a long password which might be stronger than a PIN, simply because it would take so long. Angela Sasse, professor of Human-Centred Security at Ruhr University Bochum and University College London says that the effort with every additional character and every toggle to numbers and symbols will increase the time that it takes. A user would just get so frustrated that you’d switch back to a PIN code anyway.
Read more: How to create a genuinely strong password for your digital life
Never use a pattern password
Android users have the ability to choose a pattern password to unlock their phone instead of a passcode, a password or a PIN. But it turns out that this is the least secure way of locking your phone.
In a paper published at the Proceedings of the Annual Computer Security Applications Conference, researchers found that when participants watched a video of someone entering a pattern to unlock their phone just once, they were able to memorise and replicate it 64 per cent of the time. This rose to 80 per cent if the participant watched it more times. The study replicated a common password-copying method called shoulder-surfing, when an attacker watches someone enter in their password discreetly.
The authors speculate that this is due to a graphical pattern being easier to memorise than a set of random numbers. But if you absolutely must use a pattern, then there are some tricks you can use to make sure that it’s a secure one, like starting from different positions.
“Patterns are the least secure. And there's something called a selection bias. So, for example, it has been observed that the users always start from the top left corner and this helps the attacker guess the correct pattern,” explains Maximilian Golla, security researcher at the Max Planck Institute for Security and Privacy.
Golla explains that many people choose the pattern password because it’s easy to remember, the same reason why people make patterns on keys like ‘2580’ when using a PIN code or a passcode. “It basically gives you an additional layer of information. But that's a bad idea, because that also makes it predictable and easy to observe in shoulder surfing attacks,” he explains.
Sasse also points out that using all the nodes on a pattern grid doesn’t always make it more secure. Two of Golla’s list of the most-common pattern passwords, for example, use all of the available nodes. “Essentially, people draw letters or a number. So, drawing a pattern that isn't a number or a letter is good because those are the most common,” Sasse adds. Another issue is that with pattern unlocks, smudge marks can often give attackers an idea of where you have been moving your finger across the screen.
How secure are biometrics?
On both iOS and Android, biometric authentication methods merely act as a way for users to unlock their devices more quickly than continuously entering in passcodes and PINs. And while they’re generally strong means of unlocking your phone, they aren’t the main defence.
“Face ID or Touch ID are certainly strong authentication techniques compared to the basic memorisation approaches that you would get as standard on all of the devices,” says Steve Furnell, professor of information security at the University of Plymouth. “The thing is that in all of those cases, you've still got the memorised secret as your underlying authentication unlock technique.”
That said, some of the biometric-based unlocking methods are still more easy to crack than others. So, choosing a device which has a more secure way of unlocking your phone is important.
Fingerprint sensors
Whilst Apple has ditched the fingerprint sensor on its iOS devices in recent years, Juniper Research said in 2018 that 95 per cent of phones had a fingerprint sensor on it. The firm expects this to drop to 90 per cent by 2023 – a still sizable chunk. But how secure is it really?
There are a few major types of fingerprint sensor technology used in smartphones today, but they’re not all as secure as each other. Samsung’s ultrasonic fingerprint sensor, for example, which creates a 3D image of your fingerprint using ultrasonic waves are said to be the most secure form of sensor and sit underneath the screen of its more recent S10 series phones. But the sensor can have issues with some types of screen protector, Golla says. “If you use a screen protector, like a foil on the touchscreen, then the sensor is irritated, and the training won't work,” he explains. “The end result is the sensor accepting every possible fingerprint.”
Apple uses capacitive fingerprint sensors in its Touch ID system, which trace the ridges of your finger rather than taking a 2D copy of your print. The company claims that there is a one in 50,000 chance that someone else’s fingerprint will be able to unlock your phone.
With any fingerprint sensor, however, Sasse says that someone can quite easily harvest your fingerprint on a surface and then place it on the sensor to unlock your device. And researchers from New York University and Michigan State University were even able to create a set of artificial master prints, which matched registered fingerprints by up to 65 per cent. This is why, Sasse says, it is important to train your fingerprint well.
Read more: The best VPN services tested for speed, reliability and privacy
Facial recognition
Device manufacturers have begun swapping fingerprint sensors for facial recognition tech in the past few years, in part due to smartphone manufacturer’s love for full-screen phones. But it’s also apparently more secure than fingerprint sensors.
Apple, for instance, claims that there is a one in one million chance that someone can unlock your phone using Face ID. That’s in great part to Apple’s use of 3D facial recognition, which analyses how the shadows reflect onto your face when trained via various angles. Again, the 3D facial recognition can be fooled if the attacker is motivated enough. Previous studies have shown Face ID being tricked by high-quality 3D masks. The likelihood of this happening, though, is low.
Another issue could also be the quality of the facial recognition software. If your phone is trained on bad images, then it will struggle to identify you. If your template isn't very good – for instance, if you've got a lot of glare on your face when training the facial recognition software and the system lets you enrol that – then it will become easier for an attacker to overcome the technology.
Iris scanning
Iris scanning is said to be the most secure form of biometric authentication because our irises are more unique than our fingerprints. The technology is used on some Samsung Galaxy devices, but it can take longer to scan an iris because the user has to be looking directly at the sensor. That said, it is the most secure method of biometric authentication around.
Samsung has begun combining both iris scanning and 3D facial recognition technology to make unlocking your phone even more convenient. Intelligent Scan, for example, scans your iris in low-lighting if it cannot recognise your face and scans your face in high-lighting if it cannot recognise your irises.
Still, Furnell is keen to emphasise that while facial recognition technology combined with iris scanning is a great biometric authentication method, at the end of the day, it’s just there to make the user’s life easier. “As it's currently done, you can't avoid the fact that your memorised secret is still the ultimate key to your device.”
That’s why the best thing to do to make sure your device is secure is to make certain that your passcode is as strong as it can be. No matter whether you decide to take advantage of the biometric authentication processes. “Even if we argue that something like Face ID or fingerprint technology is thousands of times more secure than a basic PIN, if you've still got the option to completely bypass that thing with a PIN, then it's actually providing no more security,” Furnell says.
Alex Lee is a writer for WIRED. He tweets from @1AlexL
This article was originally published by WIRED UK
