Apple's hacked fingerprint reader serves as a reminder to enterprise users: Be cautious about which two-factor mechanism you use.

Jonathan Feldman, CIO, City of Asheville, NC

September 23, 2013

4 Min Read

Of course it was just a matter of time before Apple's fingerprint reader was hacked. It's just impressive that the Chaos Computer Club did it quite so quickly. And it's a great reminder that using fingerprints as an authentication mechanism is simply a bad idea, especially in the enterprise.

In the words of the club's spokesman, "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

Exactly. Do-it-yourself fake fingerprint creation has been possible using gelatin since at least 2003, with Play-Doh improvements made in 2005 and glue enhancements later than that.

Why on Earth would we think that fingerprints are a good authentication mechanism?

The counterargument is that the fingerprint is just a part of a two-factor authentication, and it's better to have that than only a 4-digit code. I agree with that strategy, but it can also give users a false sense of security -- fingerprints are either hackable or they're not. And fingerprints are hackable.

[ Before you use any security product, consider the risks and benefits. Read Dropbox File Brouhaha: Use Case Is The Issue. ]

I'm glad for the publicity surrounding Apple's use of fingerprint readers, because my real concern is neither Apple nor the consumer. Most consumers can arguably get away with using a weak second factor for authentication. If your psycho boyfriend looks over your shoulder for your code, then takes your wine glass and creates a fake finger so that he can access your iPhone and see if you are cheating, boo hoo for you -- but I don't really care.

But in the enterprise? That's a much bigger deal. I protect an enterprise where there's not just one psycho boyfriend -- there are really bad guys who systematically are out to get us. I suspect that many of you are in the same boat.

Because of the weak security behind fingerprint authentication, I wince every time I see an enterprise product flaunt its awesomeness in fingerprinty goodness. For example, Panasonic markets Toughbooks with a fingerprint reader to military and law enforcement workers. Lenovo targets the same markets with its ThinkPads. If they were marketing to folks who work in sales, I'm not sure I'd care so much. But we're talking about professions where people shoot at the end user. It's a pretty good guess that such bad guys would go to the trouble to make fake fingerprints.

Global CIO Global CIOs: A Site Just For You Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.

The trouble with putting a bad second-factor authentication mechanism in place ("Ooh, look! Fingerprint readers on laptops! And smartphones! Isn't that shiny?!") is that it could too easily be used as a single-factor authentication.

Impossible, you say? Nobody responsible for enterprise apps would do that? Well, after 20+ years watching vendors take shortcuts to do dopey things with performance and security with whatever tools they're given (unencrypted passwords in text files, hardcoded admin passwords on apps, sequential record lookup instead of indexed binary search over a WAN link), I can easily believe that if you give a vendor a fingerprint reader, it will end up as a "convenient and secure" single point of authentication without a PIN. OK for a disgruntled boyfriend, maybe, but not so much for the enterprise.

Yes, of course it's about the use case. But the use case isn't ever the enterprise when it comes to fingerprint authentication.

In the same way that no responsible person would recommend a keyed Master lock (which is pickable in 7 seconds with a commercial flosser), to protect anything in an enterprise or a high-security environment, we need to take this latest flap about fingerprint authentication as notice that it simply isn't appropriate for enterprise use -- ever.

About the Author(s)

Jonathan Feldman

CIO, City of Asheville, NC

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human resources management. Asheville is a rapidly growing and popular city; it has been named a Fodor top travel destination, and is the site of many new breweries, including New Belgium's east coast expansion. During Jonathan's leadership, the City has been recognized nationally and internationally (including the International Economic Development Council New Media, Government Innovation Grant, and the GMIS Best Practices awards) for improving services to citizens and reducing expenses through new practices and technology.  He is active in the IT, startup and open data communities, was named a "Top 100 CIO to follow" by the Huffington Post, and is a co-author of Code For America's book, Beyond Transparency. Learn more about Jonathan at Feldman.org.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights