If You Are Using Fingerprint Authentication on a Nokia Phone, You Might Want to Switch Back to a Password

Nokia 9 PureView FIngerprint Scanner Vulnerability

The theory suggests that competition as fierce as the one we see in the mobile device market will result in products with top-notch quality and great prices. In reality, however, things don't always work out that way. Over the last month or so, for example, Nokia showed us that when vendors are in too much of a hurry to innovate, they make mistakes that could sometimes have serious consequences.

In-screen fingerprint readers: Are they really necessary?

The issue comes from the fingerprint reader that's incorporated into the screen of Nokia's flagship 9 PureView smartphone. Before we take a look at what's going on, however, let's step back for a moment and see why HMD Global, the company that owns the Nokia brand, decided that in addition to the six (yes, six) rear-facing cameras, the 9 PureView needs a fingerprint reader that's built into the display.

Fingerprint authentication had more or less become the norm when in late 2017, Apple launched the iPhone X which, rather perplexingly, had no fingerprint reader on it of any sort. The iPhone maker had decided to substitute it with FaceID – an advanced face recognition authentication mechanism that allowed Apple to create a relatively compact device with a large, usable screen. This kicked off a trend of sorts.

Plenty of Android device manufacturers had also been striving to get rid of bezels and buttons, but now that the Apple was there already, the race was really on. Some of the vendors opted for a simple and effective solution – freeing up space on the front of the device by situating the fingerprint reader below the rear-facing camera. Others, however, wanted to make things unnecessarily complicated.

Many implemented face-recognition capabilities into their pricier models, but research quickly showed that their technology was neither as secure nor as reliable as FaceID. Vendors like Nokia realized that their phones need a fingerprint reader, but to show everybody that they can be innovative as well, they thought that they should incorporate it into the display.

Nokia 9 PureView's fingerprint authentication – a disaster since Day One

Nokia launched its 9 PureView handset back in March, and with it, it debuted its in-screen fingerprint scanner. To say that it has had its teething problems would be an understatement. As soon as the phone came out, reviewers and users collectively complained about the fingerprint authentication's dismal reliability.

During their tests, for example, GSMArena noticed that sometimes, the PIN keyboard would appear above the fingerprint scanner, and that after a quick lock and unlock, the reader wouldn't always appear on time. At the same time, people all over the web were complaining about having to press hard down on the scanner multiple times before the phone lets them in. All in all, compared to both traditional and other in-screen scanners, Nokia's reader was not performing well. What was once the biggest name in the mobile phone business, was looking at armies of users who had paid good money for a device they weren't happy with. Something had to be done.

Nokia: "We'll fix it, we promise".

It quickly became clear that sweeping the problem under the rug was not an option, and soon after the negative reviews came flooding in, Juho Sarvikas, HMD Global's Chief Product Officer, started assuring people that the company is working on a firmware update that will address the fingerprint scanner problems as well as other commonly spotted stability issues. Last week, he announced that the patch is ready and is reaching users in different geographical regions. Firmware v4.22 was supposed to fix the woefully unreliable fingerprint reader, and for a few hours, it seemed like it had done just that. Soon, however, it became apparent that it's not all good news.

While certain users did report improved authentication, others said that the update had made no difference. Then, a UI/UX designer going by the Twitter handle Decoded Pixel published a video which suggested that the update had actually made Nokia 9 PureView's fingerprint reader worse. In the video, Decoded Pixel first unlocks his phone using a packet of chewing gum. Then, another person whose fingerprint apparently isn't registered also goes past the scanner successfully.

Did the update really make the fingerprint scanner worse?

The video was retweeted quite a few times and was eventually brought to the attention of Juho Sarvikas who said that his team will investigate the issue. It must be said, however, that a few of the replies under Decoded Pixel's tweet come from people who say that they aren't experiencing the same problems. At the same time, as ZDNet pointed out, other people claim that unregistered fingerprints were able to unlock the phones even before the firmware update. This is bad news because it suggests that the problem is more fundamental and might not be fixable by a software patch.

One thing is certain at the moment – Nokia has put a security mechanism that hasn't been properly tested in a phone that retails for upwards of $600. This is what happens when companies are racing to put the newest piece of technology on the shelves, and they deserve every ounce of criticism for it. Even the harshest comments, however, won't be very helpful for the people who have already splashed out on the device and are now stuck with it.

As things stand, it looks like thanks to the vulnerable reader, anyone might be able to unlock the affected phones, which means that Nokia 9 owners who want to keep their data safe should disable the fingerprint scanner, at least until another software update tries to fix the issue. The device also offers face recognition as an authentication mechanism, but it, like most solutions of this type fitted to Android phones, is neither quick nor very secure. The humble PIN or password, it seems, is your best bet at the moment. Just make sure that it's not easy to guess.

April 24, 2019

Leave a Reply