Apple iOS Fingerprint Scanner Has Security Limits

Thumb-scan authentication for your smartphone might sound sexy, but bypasses remain all too easy.

Mathew J. Schwartz, Contributor

July 31, 2013

5 Min Read
InformationWeek logo in a gray background | InformationWeek

10 Hidden iPhone Tips, Tricks

10 Hidden iPhone Tips, Tricks


10 Hidden iPhone Tips, Tricks (click image for larger view)

Apple aficionados: Don't count on fingerprint scanners built into future iOS devices to make you more secure. That's because such scans won't meaningfully improve real-world access security, or create a disincentive strong enough to counter the rising number of smartphone-centered muggings, also known as "Apple picking."

The news that future iOS devices -- the iPhone, iPad and iPod Touch -- may have a fingerprint scanner built into their physical "home" button broke earlier this week, after London-based developer Hamza Sood (whose name may be a pseudonym) tweeted that he'd found a description of the feature in the accessibility settings of iOS7 beta 4.

For iOS watchers, such a move wouldn't be surprising, especially since 12 months ago, Apple paid $356 million for AuthenTec, which manufactures fingerprint readers. Adding them to an iPhone is an obvious next step.

Such a fingerprint reader, if enabled by users, could definitely make life more convenient by freeing users to not have to enter the four-digit passcode (that some subset of iOS users have enabled) or a complex alphanumeric passphrase (which an even smaller number of people employ).

[ Is there a better way? See Passwords Should Die, Campaign Urges. ]

That's because entering a passcode or passphrase on a smartphone is a usability chore. Blame small screen size and the absence of tactile feedback, which make it all too easy to "fat-finger" a virtual keyboard, especially when entering long passphrases.

Fingerprint scans, obviously, could eliminate the need to enter a complex password, arguably without compromising access security. One crucial related success factor, however, will be speed. If the average user employs a four-digit iPhone passcode and can enter it in less than a second, then the new biometric feature will need to be faster. Otherwise, the majority of users will stick with a faster option, which for many continues to involve no passcode at all.

From a hardware standpoint, making a fingerprint scanner small enough and fast enough to meet that requirement will be a challenge. Notably, less expensive fingerprint scanners tend to involve swiping a sensor, which serves the dual purpose of also keeping the sensor clean. But Apple's description of the feature describes a user "touching the home button with their thumb," and such technology is trickier to package in an iPhone form factor. "Full-finger scanners are more expensive as they must have the necessary resolution to scan your entire finger in one go," noted ExtremeTech, "and they also have a tendency to get crudded up, because you're not constantly cleaning them with a swiping action."

Apple isn't the first smartphone manufacturer to head down the fingerprint-scanning path. Since 2011, Atrix smartphones from Motorola -- now owned by Google -- have included a fingerprint scanner in the power/lock button. But the devices also require users to set a recovery PIN, which highlights how enterprising attackers might simply attempt to crack that, instead of trying to fool with fingerprints.

Furthermore, the technology -- unless packaged in dedicated, standalone devices like the eyeball and fingerprint scanners used in some airports -- remains unproven. "Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods" in non-dedicated, mass-produced devices, says SMS authentication pioneer Andy Kemshall, technical director at SecurEnvoy, via email. "The technology simply isn't sophisticated enough." Even if the scanning-speed challenge does get addressed in smartphones, the authentication technique is no risk-prevention panacea. "Security is always a cat and mouse game," says Brendon Wilson, director of product management at Nok Nok Labs, via email. "Add fingerprint sensors, and attackers will now attempt to figure out how to steal fingerprints off surfaces, off devices, or how to have malware attack the underlying hardware to steal credentials. It would be a mistake to think fingerprint scanning is the final word in authentication."

On the other hand, a fingerprint scanner could prove useful for so-called adaptive authentication, such as when using a smartphone to conduct online banking. For example, the FIDO Alliance -- of which Nok Nok Labs is a member -- is building an open standard to let websites authenticate people using whatever is at hand: passwords, PINs, security questions or a biometric fingerprint scanner built into a smartphone. Accessing a banking statement might require a password. But for transferring money, a thumb scan -- or else three security questions -- might also be required.

Despite their usefulness in such adaptive-authentication scenarios, thumb scans won't solve iPhone users' most pressing security concern: the physical theft of their device. Britain, for example, last year recorded an 8% increase in smartphone-related robberies, counting over 100,000 such thefts in 2012.

Hence the next big security payoff for a user of iOS -- or any other smartphone -- will come from adding a "kill switch" to remotely disable and track stolen devices. On that front, Apple has said that iOS7, due out this fall, will include a feature that can be used to remotely deactivate a stolen phone via an "activation lock," as well as to prevent data on the phone -- or a custom "please return this phone to its rightful owner" message -- from being deleted, unless the correct activation username and password get entered. That will hold even if the SIM card gets removed.

While such features might not seem as sexy as using your thumb to unlock an iPhone, in terms of real-world security, the biggest near-term security wins -- for the security of both the physical device and the information it stores -- will come from adding tough-to-defeat recovery features.

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights