I was going to discuss the fingerprint scanner of the Galaxy S5, but then I got bogged down in what security actually means. So, I’ll talk about the scanner in another post and for now concentrate on what ‘security’ actually means.
Security, in reality, is not really about stopping people getting at something – though that’s the ideal. Security is more about slowing others down within the limits of your resources so that it’s not worth their resources to keep trying. It’s also a compromise between slowing down the ‘bad people’ and the ease of access for the ‘good people’.
A bank vault that takes the bad people 6 days to break into is great. If, however, it also takes the good people 22 hours to open it, then it’s not much use. It’s either going to be left open all the time, or only open for very brief periods. A lock on your front door may deter the casual ‘bad person’, but someone who is determined can try many options: lockpicking, breaking the door, breaking a window and so on. For each of these you can counter them.:
- You can get an ‘unpickable’ lock.
- You can get a stronger door (stronger lock/hinges/frame/actual door)
- You can put a stronger door in front of the main one.
- You can put bars over a window, or get impact resistant glass.
You can even go further. You can do all of the above and put in a security system that will scream if someone ‘unauthorised’ enters, and can even dial your security company to come over for a chat.
All of these have a cost to implement. If we’re talking about just money, then you have to weigh the cost of each of those against what you’re trying to protect. If it costs you $500 to secure your home, and you’re protecting only $200 worth of valuables, then perhaps it’s not worth it.
Of course, a lot of us also take into account other costs: the emotional cost, perhaps increased insurance premiums and the like. All of these can also add an additional barrier to getting into the house. A better lock doesn’t add anything to your difficulty. On the other hand, putting another door in front of the first, or adding a security system you need to turn off, makes getting in a little slower. So really when we talk about security it’s the balance between:
- The likely resources of those I want to keep out
- How much I can afford to pay to keep them out
- How much I want to keep them out (i.e. how valuable is what I’m guarding?)
- How much hassle I’m willing to put up with so that I can enter.
What this means is that every security device, whether it be ‘real world’ or digital has its pros and cons. For relevant examples, let’s look at the security methods you can apply to lock an android phone.
Swipe to unlock
The most obvious, and the one with only the barest hint of security. It pretty much can stop you ‘arse dialling’ and that’s about it.
- Easy to unlock.
- Anyone with a digit can unlock the phone.
- Can be unlocked accidentally (so really not always a great defence against arse dialling).
In which you join dots on a screen to form your ‘security pattern’.
- Must know the pattern to unlock.
- Depending on the number of dots joined, this can be quite quick to unlock the phone
- Unless you always wipe your screen after use, then the smudges on the screen can give hints as to what the pattern is.
- Easy to make a mistake if you accidentally lift your finger at the wrong time, or don’t quite touch one of the dots. When I’m in a hurry I often screw up the pattern in this kind of way.
These are just variations of the same thing. The main difference with a PIN is that it consists only of numbers, meaning the number of possible PINs is far more limited than the number passwords because they can contain upper and lower case letters, digits, special characters and the like.
- Need to know the PIN/Password to unlock
- Unlikely there will be enough ‘smudge’ evidence on the phone to help with guessing.
- PIN/Password strength is up to the user.
- Some people have issues remembering PINs or Passwords and therefore may forget and be locked out of their device, or will store the PIN/Password in some form that someone else can discover.
- PIN/Password strength is up to the user.
“PIN/Password strength is up to the user” is both a pro and a con, you’ll notice. Within certain limits that systems often set on these things, the user is free to choose whatever they like. This means they have a better chance of choosing something they can remember. The downside to that is that they may choose something far too simple, or something that a bad person can find out with a little research (The name of a child, year of birth or similar – for example). So the security here can be variable and that’s before we discuss things like: how many attempts are allowed before the user is locked out completely.
In this case you swipe your finger over the fingerprint scanner, and if it recognises the fingerprint, it lets you in.
- It’s your fingerprint, which is very unlikely to be shared by anyone else.
- You only have to remember which of your fingers the device remembers.
- You always have the ‘key’ with you
- Relatively fast (one swipe).
- Can be spoofed (with access to a decent copy of your fingerprint – and the necessary equipment to make a copy)
- Prone to false negatives/bad reads.
- Possibly prone to false positives (though I don’t know how good/bad the S5 one is).
- Often turns unlocking the phone into a two handed job, depending on the size of your hands and which fingers you use.
So where does all that leave us?
If you favour ease of access, but don’t care about actual security, then swipe to unlock is for you.
If you favour ease of access, have trouble remembering passwords (or thinking up good ones that you can remember) and are comfortable with just stopping people who don’t have time/reason to study your screen, then pattern unlock works.
If you can remember ‘good’ PINs/Passwords or just want a method to slow down most people, and don’t mind it taking longer to unlock, then PIN/Password works.
If you want ease of access, and can perform the finger ‘gymnastics’ required, and are comfortable with the discussed security issues of fingerprints, then fingerprint scanning works for you.
In the end: decide which set of compromises work for you, and choose the method that is closest to those compromises.