Apple has, of late at least, oft been accused of following rather than leading when it comes to smartphone innovation. Perhaps the launch of the iPhone 5s with the somewhat controversial fingerprint scanner has changed that, just a little bit. HTC, the powerhouse in the Android smartphone hardware market, has announced the latest addition to the fleet: the HTC One Max. And guess what? Yep, it comes complete with a fingerprint scanner built in.
OK, the similarities to the iPhone 5s pretty much start and end there. Not least you only have to take a look at the One Max to realise where the name comes from, it is pretty damned huge with a 5.9" full HD1080p display. The super-sized smartphone, or 'phablet' as some are already calling it, doesn't come with a 64bit chip like the A7 that features in the iPhone. Not that it's short of power, the Qualcomm Snapdragon 600 processor in the One Max is a 1.7 GHz quad-core powerhouse that's perfectly capable of driving the device. However, it is an off-the-shelf processor and that could be problematical for those worried about the privacy of their scanned fingerprint data. Whereas the Apple chip was designed so as to store the encrypted data within a secure and separate enclave to prevent leakage or theft, the Snapdragon has no such safety zone.
HTC is at pains to point out that the fingerprint data (and one has to assume that this will not be an image, but as with the iPhone an algorithmic representation of the fingerprint) will be encrypted. It will also be stored in local memory where it cannot easily be accessed or copied. I'd be happier knowing exactly what encryption is being used, as this is rather paramount to the security of the storage. Then again I'd be happier still if the Apple secure enclave approach had been used, as this ensures the data is walled-off from the rest of the OS as well as other apps.
Unlike Apple, HTC has put the fingerprint scanner on the back of the smartphone which sounds a little awkward (no easy thumb scanning as with the iPhone) but as this is a larger device it should be pretty straightforward as most users will grip the thing so that their pointy fingers are round the back. Also different from Apple, and a nice touch, is the fact that the fingerprint can be assigned to unlock the screen and then launch up to three applications; the user assigning a different fingerprint to each.
David Emm, senior security researcher at Kaspersky Labs worries that, unlike a passcode, a fingerprint cannot be changed for a new one if compromised. "If someone is able to fool a fingerprint reader by spoofing the fingerprint" Emm says, citing the example of the Chaos Computer Club which has indicated it bypassed the iPhone 5s security using a fingerprint read from a glass surface, "you can't just find a new fingerprint". This is undoubtedly true, but someone would have to seriously want access to your smartphone in order to go to the trouble of lifting a print and making a copy, it's not at all straightforward. If you are someone with such valuable data on your phone, or your phone might lead to access to said data, then one would hope your devices would be very well secured indeed - and not by either a fingerprint scan or a passcode. Maybe both, though. You see, I'm a fan of the iPhone fingerprint scan for the masses, those people who will never be targeted by fingerprint thieves as long as some kind of James Bond technique is required to spoof it. Especially the masses, and surveys tend to suggest it is a majority of users, who do not even use a PIN to secure access to their devices. The fingerprint scanner is so quick and easy to use that it doesn't make accessing the phone slow or cumbersome, but it does throw the security layer in that those users didn't have before.
But anyway, back to my "maybe both, though" comment. This is where I see the future of fingerprint ID on smartphones be they Android or iOS. Plenty of companies already use smartphones as software authentication tokens, requiring the use of the device to create a unique passcode in order to access whatever data network is being protected. Enabling a fingerprint scanner on such smartphones effectively turns them into an additional hardware authentication token, a third layer of security. So in order to be authenticated a user would have to enter a username/password combination for the network, then unlock their smartphone using their biometric information and finally generate a key using the software authentication app or via receipt of an authentication SMS message.