Within minutes of the iPhone 5s's reveal last week at Apple's headquarters, the Internet was all abuzz with talk about the handset's integrated fingerprint scanner. Digital fingerprint technology isn't anything new (and has even been incorporated onto smartphones before) though for the majority of people it will seem terribly futuristic and exciting. But will it keep you safer?
First, a quick recap: the iPhone 5s is the more expensive of the two phones introduced this year. The Touch ID fingerprint scanner is integrated into the device's home button, meaning that most iPhone users won't have to change their habits to use it.
Apple has made it emphatically clear that Touch ID information will be encrypted and stored only on the iPhone. Fingerprint data will not be stored on iCloud, and will not be shared with any other applications. What's more, Touch ID is only being used to unlock the iPhone or to authenticate iTunes and App Store purchases.
What's So Great About Fingerprints?
For the limited capabilities Apple has assigned to Touch ID so far, it's a matter of convenience. An astonishing 50 percent of iPhone users don't use a passcode at all, giving a thief or attacker access to everything on these unsecured devices. Touch ID is designed to be so seamless that even these lazy louts would use it.
iPhones also only require a four-digit passcode by default, which can be easily observed or guessed with a little persistence. Touch ID means that nobody, not even someone looking over your shoulder, could login to your iPhone as you.
Outside of the iPhone, fingerprints are valuable for identification because they're unique to every individual and provide a "live test." When you scan your fingerprint, the authentication system can confirm who you are, and that you are physically present. Passwords, on the other hand, can be sent from anywhere, by anybody.
Are Fingerprints Really Secure?
As long as there have been people, there have been fingerprints, and for nearly as long we've been using fingerprints as a form of identification.
Despite this, digital fingerprint scanners have never achieved widespread acceptance by the consumer electronics using populace, but they've been of great interest to hackers and security researchers for years. So much so that just about every way to beat a fingerprint reader has been thought up.
In a blog post, Lumension security analyst Paul Henry pointed out that fingerprints are pretty easy to snatch. "We leave them quite literally everywhere and at a minimum, they're all over the phone," he wrote. He also writes that a good fingerprint reader looks at other factors besides the appearance of a fingerprint, like pulse and temperature.
We don't yet know exactly what Touch ID analyzes, but it appears to have some anti-spoofing feaures. During the iPhone 5s/c event, Phil Schiller said that Touch ID sensor looks "through" the outer layers of skin to the "inner, live layer." Also, Touch ID uses a capacitive sensor in the steel ring around the home button, so only materials of a certain conductivity will even register.
Will the iPhone 5s Touch ID Fingerprint Scanner Make You More Secure?
"A few years ago a company developed a mouse with an optical fingerprint scanner," wrote Henry, giving an example of a poorly designed scanner. "If I breathed on the scanner to fog it up, it would recognize the fingerprint the previous user left behind and authenticate me."
The security company Lookout had similar warnings about Touch ID. "While we can expect the fingerprint scanner in Apple's latest device to use the most advanced defenses to protect against [a spoofing] attack, it's good to keep in mind that this technology has been circumvented before and is likely to be challenged again."
Will It Actually Work?
Part of the reason why fingerprint scanners—indeed, biometrics in general—have remained unpopular is that they are frequently unreliable. Just last week I tried to use the fingerprint scanner in my ThinkPad, only to discover that it required 3-5 swipes per authentication, and only successfully identified me slightly more than half the time.
A big problem with fingerprint readers is that many will be confused by the orientation of your digit. Turn your finger just slightly and they can't verify it's you. In their announcement, Apple claimed that Touch ID could image any finger in any orientation. We'll have to see how well it actually works with millions of users.
Apple has already fessed up to some issues with Touch ID. They told the Wall Street Journal that sweaty, greasy, or wet fingers were probably not going to work. "It also has trouble reading some fingers, the spokesman said, possibly including ones scarred by accidents or surgery," wrote the WSJ.
Fingerprints Are Not An Island
Security researchers abhor silver bullets; they much prefer layers of solutions rather than one magic fix-all. Two-factor authentication, for instance, requires two different ways to identify a person, making it harder (though still possible) to trick.
Just about every expert commentator has made it clear that fingerprints alone aren't much better than passwords. They are more convenient, but they're still vulnerable. It's better to combine biometrics with a second form of authentication—like a password—for maximum security.
In reality, Apple isn't actually replacing passwords with Touch ID. When making an iTunes purchase, for instance, you can either enter your password or use Touch ID. Even unlocking your phone won't be entirely finger-print based. Apple told the WSJ that "Only [a backup] passcode (not a finger) can unlock the phone if the phone is rebooted or hasn't been unlocked for 48 hours."
There's also the issue of how the iPhone 5s will store fingerprint information. Apple told the WSJ that Touch ID wouldn't store images of your fingerprint, but rather "fingerprint data." Hopefully, this will make it much harder to reverse engineer your actual fingerprints from the data onboard the iPhone.
Good Enough For Now
There are still a lot of unanswered questions about how Apple will store, secure, and use fingerprint information. We just won't know those answers until after researchers get their hands on the iPhone 5s and pick apart its innards.
Until then, it's important to keep perspective. Touch ID isn't being used to secure your data, authorize bank transactions, and so on. It's made to be convenient to users and annoying for thieves. If this can get the staggering 50 percent of iPhone users that don't lock their phones to change their ways, then it's a good thing.
It's the potential that has security experts excited, and nervous. The idea that a popular, industry-leading device will have biometric authentication built right in has the potential to change everything—from how we buy things, to how we use the Internet, to how we interact with appliances. There's been a need for a strong, secondary form of authentication to complement existing systems, and biometric-reading smartphones might just be the ticket.
We're not there yet, and Apple isn't letting anyone know about their future plans for Touch ID. But the experts agree: if we want to do more with fingerprint scanning, Apple is going to have to up its security game even further.
Apple Fan?
Sign up for our Weekly Apple Brief for the latest news, reviews, tips, and more delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
