"Please enter your PIN" -- On the Risk of Bypass Attacks on Biometric Authentication on Mobile Devices

Abstract

Nowadays, most mobile devices support biometric authentication schemes like fingerprint or face unlock. However, these probabilistic mechanisms can only be activated in combination with a second alternative factor, usually knowledge-based authentication. In this paper, we show that this aspect can be exploited in a bypass attack. In this bypass attack, the attacker forces the user to "bypass" the biometric authentication by, for example, resetting the phone. This forces the user to enter an easy-to-observe passcode instead. We present the threat model and provide preliminary results of an online survey. Based on our results, we discuss potential countermeasures. We conclude that better feedback design and security-optimized fallback mechanisms can help further improve the overall security of mobile unlock mechanisms while preserving usability.

Publication
arXiv:1911.07692 [cs]
Christian Tiefenau
Christian Tiefenau
Postdoc

I’m interested in the field of usability and security with special focus on administrators. If you are interested in collaboration feel free to contact me.

Maximilian Häring
Maximilian Häring
Ph.D. Student