Government // Mobile & Wireless
03:21 PM
Connect Directly
Automation, Speed & Quality: The Keys to Your Continuous Delivery Journey
Jun 15, 2016
Join InformationWeek and a team of industry experts on June 15 for a unique virtual event where yo ...Read More>>

Apple Fingerprint Hack: A Great Reminder

Apple's hacked fingerprint reader serves as a reminder to enterprise users: Be cautious about which two-factor mechanism you use.

Of course it was just a matter of time before Apple's fingerprint reader was hacked. It's just impressive that the Chaos Computer Club did it quite so quickly. And it's a great reminder that using fingerprints as an authentication mechanism is simply a bad idea, especially in the enterprise.

In the words of the club's spokesman, "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

Exactly. Do-it-yourself fake fingerprint creation has been possible using gelatin since at least 2003, with Play-Doh improvements made in 2005 and glue enhancements later than that.

Why on Earth would we think that fingerprints are a good authentication mechanism?

The counterargument is that the fingerprint is just a part of a two-factor authentication, and it's better to have that than only a 4-digit code. I agree with that strategy, but it can also give users a false sense of security -- fingerprints are either hackable or they're not. And fingerprints are hackable.

[ Before you use any security product, consider the risks and benefits. Read Dropbox File Brouhaha: Use Case Is The Issue. ]

I'm glad for the publicity surrounding Apple's use of fingerprint readers, because my real concern is neither Apple nor the consumer. Most consumers can arguably get away with using a weak second factor for authentication. If your psycho boyfriend looks over your shoulder for your code, then takes your wine glass and creates a fake finger so that he can access your iPhone and see if you are cheating, boo hoo for you -- but I don't really care.

But in the enterprise? That's a much bigger deal. I protect an enterprise where there's not just one psycho boyfriend -- there are really bad guys who systematically are out to get us. I suspect that many of you are in the same boat.

Because of the weak security behind fingerprint authentication, I wince every time I see an enterprise product flaunt its awesomeness in fingerprinty goodness. For example, Panasonic markets Toughbooks with a fingerprint reader to military and law enforcement workers. Lenovo targets the same markets with its ThinkPads. If they were marketing to folks who work in sales, I'm not sure I'd care so much. But we're talking about professions where people shoot at the end user. It's a pretty good guess that such bad guys would go to the trouble to make fake fingerprints.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.
The trouble with putting a bad second-factor authentication mechanism in place ("Ooh, look! Fingerprint readers on laptops! And smartphones! Isn't that shiny?!") is that it could too easily be used as a single-factor authentication.

Impossible, you say? Nobody responsible for enterprise apps would do that? Well, after 20+ years watching vendors take shortcuts to do dopey things with performance and security with whatever tools they're given (unencrypted passwords in text files, hardcoded admin passwords on apps, sequential record lookup instead of indexed binary search over a WAN link), I can easily believe that if you give a vendor a fingerprint reader, it will end up as a "convenient and secure" single point of authentication without a PIN. OK for a disgruntled boyfriend, maybe, but not so much for the enterprise.

Yes, of course it's about the use case. But the use case isn't ever the enterprise when it comes to fingerprint authentication.

In the same way that no responsible person would recommend a keyed Master lock (which is pickable in 7 seconds with a commercial flosser), to protect anything in an enterprise or a high-security environment, we need to take this latest flap about fingerprint authentication as notice that it simply isn't appropriate for enterprise use -- ever.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Strategist
9/27/2013 | 1:24:46 PM
re: Apple Fingerprint Hack: A Great Reminder
Apple has just patched the passcode hack with the just new released update of iOS 7.0.2 read the info at
User Rank: Author
9/26/2013 | 4:56:43 PM
re: Apple Fingerprint Hack: A Great Reminder
Thanks for clarifying, Jonathan. Your point is well taken. Dropbox doesn't advocate you do stupid things with its service, but some enterprise users do. Apple iPhones in enough pockets makes things happen.
User Rank: Apprentice
9/26/2013 | 1:27:16 AM
re: Apple Fingerprint Hack: A Great Reminder
I guess depends on how much the data/access is worth and the values of the black hats trying to get it. Some parts of the world it is easier to hack off a finger for a $100 prize. (Or pop out an eyeball for retinal scans.) The fake fingerprint thing has been around for over 20 years and appears in popular culture (movies, youtube how-tos, etc). The Chaos Computer Club is noted for rooting iPhones; apparently iPhone 5 has already been rooted but I believe it was a different group.

Most mobile device user level security can be hacked through root level access but most wireless devices have telco controlled security in Firmware (I used to wipe phones etc. thru a telco).
User Rank: Ninja
9/25/2013 | 8:29:12 PM
re: Apple Fingerprint Hack: A Great Reminder
Laurie, to be fair, Apple hasn't advocated fingerprint reading as an enterprise method. I just worry that someone will. The usual suspects like prox cards and one time passwords still work well as 2FA, in addition to normal auth.
User Rank: Author
9/24/2013 | 11:57:27 PM
re: Apple Fingerprint Hack: A Great Reminder
The good news in this is that the public may actually pay more attention to what does constitute reasonable methods for authentication on mobile devices.
User Rank: Apprentice
9/24/2013 | 7:20:45 PM
re: Apple Fingerprint Hack: A Great Reminder
On Android you can set a requirement where you have to blink for the facial recognition to work, it's not perfect but it works most of the time. Not sure if iOS has something similar, also not sure if a GIF of someone blinking would allow access to the device.
User Rank: Ninja
9/24/2013 | 6:50:01 PM
re: Apple Fingerprint Hack: A Great Reminder
I could be wrong, but I think face recognition is easier to break than fingerprints. I mean, you just need a picture - I can take one on my phone and use it on yours.
Anyone know if that is true?
User Rank: Apprentice
9/24/2013 | 4:55:00 PM
re: Apple Fingerprint Hack: A Great Reminder
I'd like to see three factor authentication. If I remember correctly, it's what you have, who you are and what you know.
I believe all three can me delivered by the iPhone.
What you have (fingerprint),
who you are (face recognition),
what you know (PIN).
They could deliver 3 levels of secure transactions.
Level 3, Fingerprint.
Level 2, Fingerprint + PIN.
Level 1, Fingerprint + PIN + Face recognition.
Level 3 lets you use your phone,
Level 2 could be used for all site logins,
Level 3 would be for all high level authorization and financial transactions.
I see nothing standing in the way of making this a reality.
No more passwords and you can change your PIN anytime. MUCH easier remembering a PIN than all those passwords and answers to security questions. I believe this is their ultimate plan. We'll see how it all plays out.
User Rank: Author
9/24/2013 | 4:37:25 PM
re: Apple Fingerprint Hack: A Great Reminder
So Jonathan, what would you have advocated that Apple offer to enterprise users as an alternative for two-factor?
User Rank: Ninja
9/24/2013 | 4:27:13 PM
re: Apple Fingerprint Hack: A Great Reminder
I must admit, I'm really skeptical about this argument. Functionally, I think it's a lot easier to surreptitiously see what code I'm repeatedly putting into my phone all day than it would be to make a latex replica of my finger. And when we're talking about mobile phones, we really don't have a great way of doing multi-factor authentication unless we can bring two quite different things together.

Ultimately, having both TouchID and a passcode would be quite secure from a practical standpoint. Theoretically, perhaps not, but I'm a practitioner, not an academic.

Oh, and I did get a 5S last Friday, and I can say that from a usability standpoint, TouchID is excellent.
Page 1 / 2   >   >>
Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.