Apple iOS Fingerprint Scanner Has Security Limits - InformationWeek
02:25 PM

Apple iOS Fingerprint Scanner Has Security Limits

Thumb-scan authentication for your smartphone might sound sexy, but bypasses remain all too easy.

Even if the scanning-speed challenge does get addressed in smartphones, the authentication technique is no risk-prevention panacea. "Security is always a cat and mouse game," says Brendon Wilson, director of product management at Nok Nok Labs, via email. "Add fingerprint sensors, and attackers will now attempt to figure out how to steal fingerprints off surfaces, off devices, or how to have malware attack the underlying hardware to steal credentials. It would be a mistake to think fingerprint scanning is the final word in authentication."

On the other hand, a fingerprint scanner could prove useful for so-called adaptive authentication, such as when using a smartphone to conduct online banking. For example, the FIDO Alliance -- of which Nok Nok Labs is a member -- is building an open standard to let websites authenticate people using whatever is at hand: passwords, PINs, security questions or a biometric fingerprint scanner built into a smartphone. Accessing a banking statement might require a password. But for transferring money, a thumb scan -- or else three security questions -- might also be required.

Despite their usefulness in such adaptive-authentication scenarios, thumb scans won't solve iPhone users' most pressing security concern: the physical theft of their device. Britain, for example, last year recorded an 8% increase in smartphone-related robberies, counting over 100,000 such thefts in 2012.

Hence the next big security payoff for a user of iOS -- or any other smartphone -- will come from adding a "kill switch" to remotely disable and track stolen devices. On that front, Apple has said that iOS7, due out this fall, will include a feature that can be used to remotely deactivate a stolen phone via an "activation lock," as well as to prevent data on the phone -- or a custom "please return this phone to its rightful owner" message -- from being deleted, unless the correct activation username and password get entered. That will hold even if the SIM card gets removed.

While such features might not seem as sexy as using your thumb to unlock an iPhone, in terms of real-world security, the biggest near-term security wins -- for the security of both the physical device and the information it stores -- will come from adding tough-to-defeat recovery features.

2 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
8/1/2013 | 3:01:17 PM
re: Apple iOS Fingerprint Scanner Has Security Limits
This is a tough one to call. The sensor seems more sophisticated that what I've been seeing previously, even including Authentec's earlier versions for other companies.

The point with this is not just speed, but not needing to remember the number, which might seem easy, as it's only four numbers. But people do sometimes forget, or, as you pointed out, hit the wrong key, sometimes, several times in a row, particularly when in a hurry.

This should be more secure than a four digit pin. And, it's more for the casual thief, who won't want to bother figuring out a way around it. Removing a fingerprint from the phone may not work well anyway.

I would just prefer they used a forefinger instead, as that's how we tap our phones normally, but perhaps we'll get the choice as to which finger to use. I don't know how it could tell anyway.
Cjaer Wilson
Cjaer Wilson,
User Rank: Apprentice
8/1/2013 | 6:47:07 PM
re: Apple iOS Fingerprint Scanner Has Security Limits
If one were to pick up their iPhone and look at it directly from a power save (screen dimmed mode) the first thing that needs to be done is depressing either the home button or power button. I'm not privy to the ultimate design, however it's pretty easy to see how depressing the home button could generate an near instant read, index and compare. I don't attempt to do it in a hurry, but for me to press to wake, swipe and then password is more like four seconds, and as melgross points out some of us occasionally miss-key which adds to more delay.

Another obvious potential use is as a hands-nearly-free authentication. A vehicle driver who stops at a light can easily grab a phone and press the home button with a thumb by touch, then use the hands free mechanisms to give voice commands and audio response for the rest of their needs (call/directions).

Finally, and most importantly to me, is the extra security layer allows for a much more secure NFC or other location based transactions. I hate carrying credit cards with my phone, the phone should be able to replace those cards.

Yes, the security could be bypassed. However compared to the current state it's a radical improvement (assuming the inclusion of credit card replacement). If someone finds my credit card they can use it until I cancel it. If someone finds my phone they are going to have to dust it for finger prints and then generate a dummy that the reader would accept. I wouldn't want it to be the security protocol for a nuclear launch, but it's enough of a pain that your average subway iPhone thief is not likely to achieve success. Apple is also large enough to get payment processors on board.

As to the wipe issue, all one has to do is slide your thumb off after the read. Sometimes we over think things.
User Rank: Ninja
8/1/2013 | 10:55:38 PM
re: Apple iOS Fingerprint Scanner Has Security Limits
In thinking about this some more, I realized something. From looking at the patents, it appears that this is capacitive in nature. The ridges of the fingers will generate a pattern of capacitance, which is what's being read. If this is the case, no fingerprint pattern will work if it isn't from a real finger, perhaps only a live finger.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll