August and Yale locks are solidly positioned as top sellers in the smart lock market. We recently awardedour Editors’ Choice award for its updated styling and independence from the company’s Connect module. On Tuesday, August announced security changes that add biometrics to your smart lock app experience.
Biometrics and hidden codes
Yale and August, both owned by Swedish company Assa Abloy, are calling the feature Secure Remote Access. It uses the built-in authentication tools on your mobile phone, namely your fingerprint or facial recognition profile. With Secure Remote Access enabled, you’ll be able to use those biometric identifiers to remotely lock or unlock your door from your smartphone. If your mobile device doesn’t read biometrics, you can enable this feature, and the app will prompt you to use your phone’s PIN code.
Currently, this update only applies to actions requested over Wi-Fi or mobile data. Bluetooth won’t prompt biometric verification. That also means it will only work for users with an August Wi-Fi Smart Lock or other August or Yale lock connected to Wi-Fi via the August Connect Wi-Fi Bridge. Secure Remote Access isn’t automatically enabled or mandatory. You’ll need to opt in for functionality.
August is also adding a new Hide Entry Codes features to the app, so users will only be able to view codes after passing initial authentication.
Fingerprints and facial recognition are under near-constant scrutiny from security and technology experts. We’ve seen issues surrounding security cameras, mobile phones and more since biometrics made its way to mainstream smart devices.
SimpliSafe’s smart lock is about as easy to install as it gets
How secure is using biometrics?
This announcement comes on the heels ofstating that in setup mode, Android apps and August Connect devices could let hackers intercept your Wi-Fi network credentials. August has since refuted parts of that report and is working to correct the issue.
Ted Harrington, author of Hackable: How to Do Application Security Right and executive partner at Independent Security Evaluators, describes the biometric data exchange between third-party apps and phones like this. When you use a third-party app like August Home or Yale Access, it asks your phone to verify authentication. Your phone then takes over, popping up the tile that asks for your fingerprint or face. Once the phone verifies your identity, it tells the third party app that it is safe to log you in.
“In most cases, it’s usually much better to use biometrics than passwords,” Harrington says. “Because it’s super convenient, it means people will add security where they might otherwise avoid it. Think about how many people you know who never put passcodes on their phones, until thumbprint readers came out, and now they all use it.”
Harrington also highlighted three ways hackers compromise apps. Here’s a quick outline:
Abuse functionality: When an attacker uses an app’s functionality in an attack against itself.
Example: Think of this like a vending machine. It has a way to ingest bills but not a way to prevent you taking them back out. So if someone attached dental floss to a dollar bill and could pull it back out, that would be abusing the bill receptor functionality.
Chain exploits: When an attacker combines two or more vulnerabilities which, taken together, compromise the system even if they might not independently.
Example: Think of this like two kids on a trampoline. Each kid can only jump so high, but if they time their jump so one kid launches as the other kid lands, it sends that kid way higher than he could go alone. Same idea.
Exploit the unknown unknowns: When attackers find novel versions of common vulnerability classes, exploit vulnerabilities in the supply chain or discover new attack methods. This is the pinnacle of both attacking and security testing.
“The centerpiece of authentication is your phone, which means either Google or Apple in most cases,” Harrington says. “Those companies invest tremendously in their security, where third-party apps might not. They’re certainly not invincible — nothing is ‘unhackable’ — but the way these biometric authentication models work is pretty good.”
While it might make some users nervous to tie in their biometric data to yet another app, adding more authentication to your accounts and devices is generally a good idea. It’s also important to keep your software and firmware up to date on all devices, create complex passwords and change them regularly.