Apple Fingerprint Hack: A Great Reminder

Apple's hacked fingerprint reader serves as a reminder to enterprise users: Be cautious about which two-factor mechanism you use.
Of course it was just a matter of time before Apple's fingerprint reader was hacked. It's just impressive that the Chaos Computer Club did it quite so quickly. And it's a great reminder that using fingerprints as an authentication mechanism is simply a bad idea, especially in the enterprise.

In the words of the club's spokesman, "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

Exactly. Do-it-yourself fake fingerprint creation has been possible using gelatin since at least 2003, with Play-Doh improvements made in 2005 and glue enhancements later than that.

Why on Earth would we think that fingerprints are a good authentication mechanism?

The counterargument is that the fingerprint is just a part of a two-factor authentication, and it's better to have that than only a 4-digit code. I agree with that strategy, but it can also give users a false sense of security -- fingerprints are either hackable or they're not. And fingerprints are hackable.

[ Before you use any security product, consider the risks and benefits. Read Dropbox File Brouhaha: Use Case Is The Issue. ]

I'm glad for the publicity surrounding Apple's use of fingerprint readers, because my real concern is neither Apple nor the consumer. Most consumers can arguably get away with using a weak second factor for authentication. If your psycho boyfriend looks over your shoulder for your code, then takes your wine glass and creates a fake finger so that he can access your iPhone and see if you are cheating, boo hoo for you -- but I don't really care.

But in the enterprise? That's a much bigger deal. I protect an enterprise where there's not just one psycho boyfriend -- there are really bad guys who systematically are out to get us. I suspect that many of you are in the same boat.

Because of the weak security behind fingerprint authentication, I wince every time I see an enterprise product flaunt its awesomeness in fingerprinty goodness. For example, Panasonic markets Toughbooks with a fingerprint reader to military and law enforcement workers. Lenovo targets the same markets with its ThinkPads. If they were marketing to folks who work in sales, I'm not sure I'd care so much. But we're talking about professions where people shoot at the end user. It's a pretty good guess that such bad guys would go to the trouble to make fake fingerprints.

Global CIO
Global CIOs: A Site Just For You
Visit InformationWeek's Global CIO -- our online community and information resource for CIOs operating in the global economy.
The trouble with putting a bad second-factor authentication mechanism in place ("Ooh, look! Fingerprint readers on laptops! And smartphones! Isn't that shiny?!") is that it could too easily be used as a single-factor authentication.

Impossible, you say? Nobody responsible for enterprise apps would do that? Well, after 20+ years watching vendors take shortcuts to do dopey things with performance and security with whatever tools they're given (unencrypted passwords in text files, hardcoded admin passwords on apps, sequential record lookup instead of indexed binary search over a WAN link), I can easily believe that if you give a vendor a fingerprint reader, it will end up as a "convenient and secure" single point of authentication without a PIN. OK for a disgruntled boyfriend, maybe, but not so much for the enterprise.

Yes, of course it's about the use case. But the use case isn't ever the enterprise when it comes to fingerprint authentication.

In the same way that no responsible person would recommend a keyed Master lock (which is pickable in 7 seconds with a commercial flosser), to protect anything in an enterprise or a high-security environment, we need to take this latest flap about fingerprint authentication as notice that it simply isn't appropriate for enterprise use -- ever.