Apple iOS Fingerprint Scanner Has Security Limits - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Apple iOS Fingerprint Scanner Has Security Limits

Thumb-scan authentication for your smartphone might sound sexy, but bypasses remain all too easy.

10 Hidden iPhone Tips, Tricks
10 Hidden iPhone Tips, Tricks
(click image for larger view)
Apple aficionados: Don't count on fingerprint scanners built into future iOS devices to make you more secure. That's because such scans won't meaningfully improve real-world access security, or create a disincentive strong enough to counter the rising number of smartphone-centered muggings, also known as "Apple picking."

The news that future iOS devices -- the iPhone, iPad and iPod Touch -- may have a fingerprint scanner built into their physical "home" button broke earlier this week, after London-based developer Hamza Sood (whose name may be a pseudonym) tweeted that he'd found a description of the feature in the accessibility settings of iOS7 beta 4.

For iOS watchers, such a move wouldn't be surprising, especially since 12 months ago, Apple paid $356 million for AuthenTec, which manufactures fingerprint readers. Adding them to an iPhone is an obvious next step.

Such a fingerprint reader, if enabled by users, could definitely make life more convenient by freeing users to not have to enter the four-digit passcode (that some subset of iOS users have enabled) or a complex alphanumeric passphrase (which an even smaller number of people employ).

[ Is there a better way? See Passwords Should Die, Campaign Urges. ]

That's because entering a passcode or passphrase on a smartphone is a usability chore. Blame small screen size and the absence of tactile feedback, which make it all too easy to "fat-finger" a virtual keyboard, especially when entering long passphrases.

Fingerprint scans, obviously, could eliminate the need to enter a complex password, arguably without compromising access security. One crucial related success factor, however, will be speed. If the average user employs a four-digit iPhone passcode and can enter it in less than a second, then the new biometric feature will need to be faster. Otherwise, the majority of users will stick with a faster option, which for many continues to involve no passcode at all.

From a hardware standpoint, making a fingerprint scanner small enough and fast enough to meet that requirement will be a challenge. Notably, less expensive fingerprint scanners tend to involve swiping a sensor, which serves the dual purpose of also keeping the sensor clean. But Apple's description of the feature describes a user "touching the home button with their thumb," and such technology is trickier to package in an iPhone form factor. "Full-finger scanners are more expensive as they must have the necessary resolution to scan your entire finger in one go," noted ExtremeTech, "and they also have a tendency to get crudded up, because you're not constantly cleaning them with a swiping action."

Apple isn't the first smartphone manufacturer to head down the fingerprint-scanning path. Since 2011, Atrix smartphones from Motorola -- now owned by Google -- have included a fingerprint scanner in the power/lock button. But the devices also require users to set a recovery PIN, which highlights how enterprising attackers might simply attempt to crack that, instead of trying to fool with fingerprints.

Furthermore, the technology -- unless packaged in dedicated, standalone devices like the eyeball and fingerprint scanners used in some airports -- remains unproven. "Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods" in non-dedicated, mass-produced devices, says SMS authentication pioneer Andy Kemshall, technical director at SecurEnvoy, via email. "The technology simply isn't sophisticated enough."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
melgross
50%
50%
melgross,
User Rank: Ninja
8/1/2013 | 10:55:38 PM
re: Apple iOS Fingerprint Scanner Has Security Limits
In thinking about this some more, I realized something. From looking at the patents, it appears that this is capacitive in nature. The ridges of the fingers will generate a pattern of capacitance, which is what's being read. If this is the case, no fingerprint pattern will work if it isn't from a real finger, perhaps only a live finger.
Cjaer Wilson
50%
50%
Cjaer Wilson,
User Rank: Apprentice
8/1/2013 | 6:47:07 PM
re: Apple iOS Fingerprint Scanner Has Security Limits
If one were to pick up their iPhone and look at it directly from a power save (screen dimmed mode) the first thing that needs to be done is depressing either the home button or power button. I'm not privy to the ultimate design, however it's pretty easy to see how depressing the home button could generate an near instant read, index and compare. I don't attempt to do it in a hurry, but for me to press to wake, swipe and then password is more like four seconds, and as melgross points out some of us occasionally miss-key which adds to more delay.

Another obvious potential use is as a hands-nearly-free authentication. A vehicle driver who stops at a light can easily grab a phone and press the home button with a thumb by touch, then use the hands free mechanisms to give voice commands and audio response for the rest of their needs (call/directions).

Finally, and most importantly to me, is the extra security layer allows for a much more secure NFC or other location based transactions. I hate carrying credit cards with my phone, the phone should be able to replace those cards.

Yes, the security could be bypassed. However compared to the current state it's a radical improvement (assuming the inclusion of credit card replacement). If someone finds my credit card they can use it until I cancel it. If someone finds my phone they are going to have to dust it for finger prints and then generate a dummy that the reader would accept. I wouldn't want it to be the security protocol for a nuclear launch, but it's enough of a pain that your average subway iPhone thief is not likely to achieve success. Apple is also large enough to get payment processors on board.

As to the wipe issue, all one has to do is slide your thumb off after the read. Sometimes we over think things.
melgross
50%
50%
melgross,
User Rank: Ninja
8/1/2013 | 3:01:17 PM
re: Apple iOS Fingerprint Scanner Has Security Limits
This is a tough one to call. The sensor seems more sophisticated that what I've been seeing previously, even including Authentec's earlier versions for other companies.

The point with this is not just speed, but not needing to remember the number, which might seem easy, as it's only four numbers. But people do sometimes forget, or, as you pointed out, hit the wrong key, sometimes, several times in a row, particularly when in a hurry.

This should be more secure than a four digit pin. And, it's more for the casual thief, who won't want to bother figuring out a way around it. Removing a fingerprint from the phone may not work well anyway.

I would just prefer they used a forefinger instead, as that's how we tap our phones normally, but perhaps we'll get the choice as to which finger to use. I don't know how it could tell anyway.
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll