Of all the new features of Apple's new iPhone 5S, few have drawn more attention than the built-in fingerprint scanner known as Touch ID. Apple billed it as an "innovative way to simply and securely unlock your phone with just the touch of a finger." More breathless accounts were calling it a potential "death knell for passwords" or using similarly overblown phrases.
Until the new phones are in the hands of skilled hackers and security consultants, we won't know for sure if Touch ID represents a step forward from the security and privacy offered by today's iPhones. I spent several hours parsing the limited number of details provided by Apple and speaking to software and security engineers. I found evidence both supporting and undermining the case that the fingerprint readers are an improvement. The thoughts that follow aren't intended to be a final verdict—the proof won't be delivered until we see how the feature works in the real world.
The pros
I'll start with the encouraging evidence. Apple said Touch ID is powered by a laser-cut sapphire crystal and a capacitive touch sensor that is able to take a high-resolution image based on the sub-epidermal layers of a user's skin. While not definitive, this detail suggests Apple engineers may have designed a system that is not susceptible to casual attacks. If the scans probe deeply enough, for instance, Touch ID probably wouldn't be tricked by the type of clones that are generated from smudges pulled off a door knob or computer monitor. In 2008, hackers demonstrated just how easy it was to create such clones when they published more than 4,000 pieces of plastic film containing the fingerprint of a German politician who supported the mandatory collection of citizens' unique physical characteristics. By slipping the foil over their own fingers, critics were able to mimic then-Interior Minister Wolfgang Schauble's fingerprint when touching certain types of biometric readers.
Again, there's reason to believe Touch ID won't be fooled by such techniques. What's more, Rob Graham, CEO of penetration-testing firm Errata Security, said the Apple sensor scans a different region of the finger than those that leave prints on surfaces. "That means while hackers may be able to lift your thumbprint from you holding other objects, or from other parts of the phone itself, they probably can't get the tip print needed to do bad things on your iPhone," he wrote.
Also encouraging is Apple's decision not to store what are almost certainly cryptographic hashes of fingerprints (Apple says they're "encrypted") on servers, including those that run the company's iCloud backup service. Instead, fingerprint data is stored in what Apple describes as a "secure enclave" of the currently undocumented A7 chip. And for the time being, Touch ID is reportedly off limits to third-party apps. Assuming the enclave is truly secure—meaning it contains some sort of trusted platform module designed to store sensitive cryptographic materials—all of this means that Touch ID has been designed to store the information in a way that can't easily be accessed by malware, hackers, and possibly other adversaries such as three-letter government agencies.
Bitweasil, a well-known password and authentication expert who prefers to be identified by his hacker handle, summed things up nicely in an e-mail to Ars.
"It sounds like Apple is doing fingerprint authentication sanely, with a high-end sensor and keeping the data only on the phone (instead of sending it to the cloud)," he wrote. "It's certainly an interesting concept, and it sounds like it's well implemented, but without one to actually play with, I don't have a strong opinion on it other than my usual 'Changing a fingerprint is really hard.'"
The cons
And that brings us to the second half of this analysis, which lists several reasons to be skeptical of the security provided by Apple's new authentication system. As Bitweasil suggests, the first involves the drawbacks of almost all biometric authentication systems. Unlike a password or encryption key, there's no practical way to keep fingerprints, iris patterns, and many other unique physical characteristics secret. Except for the most eccentric of recluses, this information leaks every time we take a train to work, eat at a restaurant, or go to a movie. Relying on a fingerprint as the sole means of authentication—or even as a second factor in authentication—raises the troubling question: what action do I take if someone manages to reverse engineer, appropriate, or otherwise clone a high-fidelity replica of my fingerprint, heartbeat, or iris? Since we're born with only one print for each digit, it's not an option to create a new one as we do when changing a compromised password.
And that brings us to the first potential criticism of Touch ID. In all the coverage I saw of Apple's PR blitz on Tuesday, fingerprints were held up as a substitute for passwords. That means it's probably incorrect to refer to the upcoming iPhone 5S as a "two-factor device." In reality, it's being held out as a phone that allows users to replace one factor—that is, a password, or "something you know"—with another factor—that is, a fingerprint, or "something you are." It remains unclear if users will have the option to unlock their phones only after entering a PIN and producing a valid fingerprint. Adding true two-factor authentication to the iPhone would indeed be something I consider innovative. Given Apple's track record of eliminating clutter from interface menus, I'm not optimistic—although I would be happy to be proven wrong. It would be a missed opportunity for security if Apple doesn't provide this option.
The other potential security drawback of Touch ID stems from its ability to be used to approve purchases from the iTunes, App, and iBooks stores. If Apple is right that fingerprints never leave the device, that means the new iPhones will be sending some sort of authentication token to Apple servers to verify that the end user has produced a valid print. This arrangement leaves some security experts uncomfortable. If attackers figure out a way to capture and replay users' valid tokens, it could lead to new ways for criminals to hijack user accounts.
"The store has to accept a token that says you've been authenticated," Scott Matsumoto, principal consultant at software security consultancy Cigital, told Ars. "How spoofable is that token? There are so many ways you can defeat the client-side authentication with server-side resources. That just makes my stomach turn. That's going to be something I'll have to turn off."
Update: Several readers have commented that there may be other ways for Touch ID to authenticate an iTunes account, including using a fingerprint to unlock an iPhone keychain. This speculation may be right, but depending on how such a print-activated keychain is implemented, it may also open up users to new attacks. Again, until we can test the phone, or Apple fills in key details it has so far declined to provide, there's no way to know for sure.
You may not have the right to remain silent
There's also uncertainty about the legal differences between unlocking a device using a password and using a fingerprint to do the same thing. At the moment, at least some courts have supported the argument that compelling a criminal defendant to surrender a PIN or password is unconstitutional because it violates the Fifth Amendment right not to testify against oneself. Legal experts I contacted were mixed on whether that right extends to fingerprints. That means users who turn on Touch ID—at least if it doesn't give them the option of using a PIN and a print to authenticate—may be exposing themselves to greater legal risk in some cases.
The last risk stems from other sorts of "replay" attacks that Touch ID may be vulnerable to. As I said earlier, the sub-epidermal, high-resolution image scans will probably prevent people from pulling a fingerprint smudge off a surface and using it to unlock the device, but this is by no means certain. Until hackers and security professionals get their hands and, yes, fingers, on the new devices, there are no guarantees that this is the case. Customers can only hope Apple engineers designed this scanning sensor securely. The ability to pull a print off a stolen iPhone and use it to gain full access to the owner's device could spur a whole new wave of iPhone thefts.
Security guinea pigs
For the time being, it makes sense to view Touch ID as an interesting experiment in the usability and security of fingerprint authentication. Now that it has come to the iPhone, similar capabilities will inevitably be added to competing devices, opening new doors to hackers. Individual users deciding whether to turn it on will want to assess the potential benefits and risks of the technology, though in the beginning at least, there won't be much real-world data to guide their decision.
"As the fingerprint technology becomes more ubiquitous, it will be used in other places besides just iPhones," Kris Borer, CTO of KeyMe, a firm that uses fingerprints in key duplication kiosks, told Ars. "So biometric information is not necessarily secure just because it's secure on your phone. As people try these new technologies, we're going to learn what works and what doesn't. It's never really possible to say what's going to happen in the long run."
Update2: After this article was published, The Wall Street Journal posted a story providing a few details not previously available. Specifically:
An Apple spokesman pointed to other security features the company has added to the phone. Apple customers who wish the use Touch ID also have to create a passcode as a backup. Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours. This feature is meant to block hackers from stalling for time as they try to find a way to circumvent the fingerprint scanner.
The requirement to enter a PIN to unlock a rebooted or long-dormant iPhone doesn't change any of the analysis above. Still, it suggests Apple engineers put a lot of time and effort trying to balance ease of use and security. It will be interesting to learn more about the way Touch ID has been implemented.
reader comments
267