Apple iOS Fingerprint Scanner Has Security Limits

Thumb-scan authentication for your smartphone might sound sexy, but bypasses remain all too easy.

Apple aficionados: Don't count on fingerprint scanners built into future iOS devices to make you more secure. That's because such scans won't meaningfully improve real-world access security, or create a disincentive strong enough to counter the rising number of smartphone-centered muggings, also known as "Apple picking."

The news that future iOS devices -- the iPhone, iPad and iPod Touch -- may have a fingerprint scanner built into their physical "home" button broke earlier this week, after London-based developer Hamza Sood (whose name may be a pseudonym) tweeted that he'd found a description of the feature in the accessibility settings of iOS7 beta 4.

For iOS watchers, such a move wouldn't be surprising, especially since 12 months ago, Apple paid $356 million for AuthenTec, which manufactures fingerprint readers. Adding them to an iPhone is an obvious next step.

Such a fingerprint reader, if enabled by users, could definitely make life more convenient by freeing users to not have to enter the four-digit passcode (that some subset of iOS users have enabled) or a complex alphanumeric passphrase (which an even smaller number of people employ).

[ Is there a better way? See Passwords Should Die, Campaign Urges. ]

That's because entering a passcode or passphrase on a smartphone is a usability chore. Blame small screen size and the absence of tactile feedback, which make it all too easy to "fat-finger" a virtual keyboard, especially when entering long passphrases.

Fingerprint scans, obviously, could eliminate the need to enter a complex password, arguably without compromising access security. One crucial related success factor, however, will be speed. If the average user employs a four-digit iPhone passcode and can enter it in less than a second, then the new biometric feature will need to be faster. Otherwise, the majority of users will stick with a faster option, which for many continues to involve no passcode at all.

From a hardware standpoint, making a fingerprint scanner small enough and fast enough to meet that requirement will be a challenge. Notably, less expensive fingerprint scanners tend to involve swiping a sensor, which serves the dual purpose of also keeping the sensor clean. But Apple's description of the feature describes a user "touching the home button with their thumb," and such technology is trickier to package in an iPhone form factor. "Full-finger scanners are more expensive as they must have the necessary resolution to scan your entire finger in one go," noted ExtremeTech, "and they also have a tendency to get crudded up, because you're not constantly cleaning them with a swiping action."

Apple isn't the first smartphone manufacturer to head down the fingerprint-scanning path. Since 2011, Atrix smartphones from Motorola -- now owned by Google -- have included a fingerprint scanner in the power/lock button. But the devices also require users to set a recovery PIN, which highlights how enterprising attackers might simply attempt to crack that, instead of trying to fool with fingerprints.

Furthermore, the technology -- unless packaged in dedicated, standalone devices like the eyeball and fingerprint scanners used in some airports -- remains unproven. "Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods" in non-dedicated, mass-produced devices, says SMS authentication pioneer Andy Kemshall, technical director at SecurEnvoy, via email. "The technology simply isn't sophisticated enough."