The latest iPhone has arrived, and along with it what may be the slickest integration of biometric security yet: A fingerprint scanner built seamlessly into the phone’s home button. But privacy-conscious users would be wise to think twice. Better to use your fingerprint as another layer of protection than as a replacement for old-fashioned passwords and passcodes.
In Apple’s iPhone 5S launch event Tuesday, the company’s vice president of marketing Phil Schiller introduced its first-ever fingerprint scanner, which it’s calling Touch ID, a feature that appears only as a thin ring of metal around the iPhone’s single front-facing button. According to Apple’s descriptions, the 170-micron thin scanning sensor sits under a laser-cut sapphire crystal and is surrounded by the steel detection ring, which can capture 550 pixels per inch of resolution in a user’s fingerprint.
“We have so much of our personal life on these devices…and they’re with us everywhere we have to go,” Schiller told the keynote’s audience, noting that only half of iPhone users set up lockscreen passcodes on their devices. “We have to protect them.” And Touch ID’s authentication, it seems, can be used to replace more than just the initial passcode lock on an iPhone. In his talk, Schiller also mentioned that it can be used to buy items in Apple’s App Store, implying that it can also replace full passwords.
But if Apple intends to offer Touch ID as an alternative to the traditional password, those of us with sensitive personal, corporate or government data at stake may want to wait, given the security industry’s less-than-perfect record when it comes to preventing spoofed fingerprints from cracking its biometric protections, argues Brent Kennedy, a vulnerability analyst with the government-run U.S. Computer Emergency and Readiness Team who researched biometrics as a graduate student.
“If the fingerprint reader tests well, it may be more secure than a four-digit pin. But I’d caution right away, let’s see how it tests and what people come up with to break it,” says Kennedy. “I wouldn’t rely on it solely, just as I wouldn’t with any new technology right off the bat.”
A stolen phone, after all, is usually covered with its owner’s fingerprints, making the job of any would-be cracker much easier. Researchers have found plenty of methods for using lifted fingerprints to defeat commercial fingerprint readers before. One group at the University of West Virginia used sculpted Play-Doh and, in another experiment, cadaver fingerprints in 2002 to trick a variety of optical and conductivity-based sensors. A Japanese researcher copied fingers in gummy-worm like gelatin to fool the sensors of more than ten commercial products. And one episode of the Mythbusters television show demonstrated that fingerprint readers could be bypassed by licking a piece of latex with a copied print, or even just showing a print-out of the swirl to the scanner on paper.
Fingerprint reader technology has improved since many of those tests to incorporate anti-spoofing technologies that test for heat and even the patterns of sweat from a user’s pores, according to Reza Derakshani, a professor of computer science at the University of Missouri who built some of the first so-called “liveness” tests to disqualify spoofed fingers. “If you look at a finger’s active pores to see how the perspiration oozes and spreads along ridges, you can see patterns,” he says. “You can still spoof biometrics, but only naive ones. A good liveness check thwarts some if not all spoof attacks.”
In Tuesday’s presentation, Schiller boasted that Touch ID’s test includes somehow sensing “sub-epidermal skin layers.” But whether Apple’s detection ring includes enough of Derakshani’s “liveness” tests to rule out advanced spoofing won’t be clear until the product hits the market and is subjected to public security research’s experimentation.
One bright note for the privacy-conscious is that Touch ID doesn’t seem to transmit a user’s fingerprint to the cloud, but rather keeps that data restricted to the device itself. That measure may allay fears that Apple is somehow collecting a database of biometric data that could be accessed by the government or rogue hackers.
If it’s possible–and popular–for iPhone users to institute both a passcode and a fingerprint as security measures for their phone, Touch ID may be a good thing for overall user security, says US-CERT’s Kennedy. So-called two-factor authentication, after all, has become a popular method used by Google, Twitter, and others to bolster typical passwords protections, usually by sending a one-time code to a user’s phone so that only a hacker who has also stolen their phone can break into an online account. But a biometric factor may work just as well as a second device for that second safeguard.
“Two factor authentication usually uses something you know and something you have–in this case, it’s something you are,” says Kennedy. “If [Apple] allows you to use both, that’s the best of both worlds.”
Follow me on Twitter, and pre-order the upcoming paperback edition of my book, This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers, a New York Times Book Review Editor’s Choice.