Apple iOS Fingerprint Scanner Has Security Limits

Thumb-scan authentication for your smartphone might sound sexy, but bypasses remain all too easy.
Even if the scanning-speed challenge does get addressed in smartphones, the authentication technique is no risk-prevention panacea. "Security is always a cat and mouse game," says Brendon Wilson, director of product management at Nok Nok Labs, via email. "Add fingerprint sensors, and attackers will now attempt to figure out how to steal fingerprints off surfaces, off devices, or how to have malware attack the underlying hardware to steal credentials. It would be a mistake to think fingerprint scanning is the final word in authentication."

On the other hand, a fingerprint scanner could prove useful for so-called adaptive authentication, such as when using a smartphone to conduct online banking. For example, the FIDO Alliance -- of which Nok Nok Labs is a member -- is building an open standard to let websites authenticate people using whatever is at hand: passwords, PINs, security questions or a biometric fingerprint scanner built into a smartphone. Accessing a banking statement might require a password. But for transferring money, a thumb scan -- or else three security questions -- might also be required.

Despite their usefulness in such adaptive-authentication scenarios, thumb scans won't solve iPhone users' most pressing security concern: the physical theft of their device. Britain, for example, last year recorded an 8% increase in smartphone-related robberies, counting over 100,000 such thefts in 2012.

Hence the next big security payoff for a user of iOS -- or any other smartphone -- will come from adding a "kill switch" to remotely disable and track stolen devices. On that front, Apple has said that iOS7, due out this fall, will include a feature that can be used to remotely deactivate a stolen phone via an "activation lock," as well as to prevent data on the phone -- or a custom "please return this phone to its rightful owner" message -- from being deleted, unless the correct activation username and password get entered. That will hold even if the SIM card gets removed.

While such features might not seem as sexy as using your thumb to unlock an iPhone, in terms of real-world security, the biggest near-term security wins -- for the security of both the physical device and the information it stores -- will come from adding tough-to-defeat recovery features.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing