Many modern devices, whether mobile phones, tablets, or laptops, contain fingerprint readers. We’ve had readers for a long time, but they were very expensive and not widely deployed. That changed with mobile phones and now many devices include fingerprint readers as standard equipment. So much so that this seems to be a very common way of authenticating access on lots of devices.
This isn’t necessarily a very secure way of protecting data. An ArsTechnica article notes that fake fingerprints were able to access these devices 80% of the time. That’s a success rate that might worry a lot of security personnel. Most organizations allow some sort of BYOD device, including many financial, medical, and other organizations that deal with sensitive data. Since control of a device often includes saved credentials and the ability to approve 2FA implementations, this could be an issue.
Certainly nation states might try to take advantage of this to gain control of a device and access data from other governments, but I’m sure corporate espionage is in play here as well. I wouldn’t be surprised if this also becomes a technique for pranksters and jokers. Imagine you can bypass the fingerprint on a colleague’s phone. Maybe you want to change their wallpaper. Maybe you want to send an embarrassing email to friends. Maybe you want to add a backdoor to some code using their GitHub credentials. You could do anything from an innocuous joke to a malicious career threatening action. Imagine you choose to do this while your colleague is at lunch, with their phone forgotten on their desk.
No security is perfect. Many of us that work with someone often might be able to guess a PIN or pattern on a device if we see it often enough. We certainly could easily put a keylogger on a wired keyboard at someone’s desk. There are plenty of vulnerabilities, and in this age of being highly connected through our devices, there are potential issues with all access. There’s no perfect solution, but we should be diligent with physical control of our devices and react swiftly if we think one might be stolen. Remote disable and a good backup might be top of my list.