"Please enter your PIN" -- On the Risk of Bypass Attacks on Biometric Authentication on Mobile Devices
This addresses a security problem for mobile device users by highlighting an incremental risk in existing authentication systems.
The paper tackles the vulnerability of mobile biometric authentication to bypass attacks, where attackers force users to use easily observable passcodes, and proposes that improved feedback design and fallback mechanisms can enhance security without compromising usability.
Nowadays, most mobile devices support biometric authentication schemes like fingerprint or face unlock. However, these probabilistic mechanisms can only be activated in combination with a second alternative factor, usually knowledge-based authentication. In this paper, we show that this aspect can be exploited in a bypass attack. In this bypass attack, the attacker forces the user to "bypass" the biometric authentication by, for example, resetting the phone. This forces the user to enter an easy-to-observe passcode instead. We present the threat model and provide preliminary results of an online survey. Based on our results, we discuss potential countermeasures. We conclude that better feedback design and security-optimized fallback mechanisms can help further improve the overall security of mobile unlock mechanisms while preserving usability.