Giving the Fingerprint

Apple just released the new iPhone 5s with a new the new security feature of Touch ID.  This new fingerprint identity sensor is part of the home button and allows the user to unlock his phone without a password.  Apple explains it this way (emphasis mine), “Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.”

“Highly secure” seems to be a debatable phrase.  Tech writers everywhere are talking about how Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apples Touch ID by basically copying the users’ fingerprint and creating a fake.  The way they did it is all explained in this step-by-step guide.  Some say this is nothing to worry about because if someone is stealing your finger prints, you have something bigger to worry about.  I see what they’re saying, but don’t entirely agree.  The fact of the matter is, it’s been proven that stealing  your fingerprint to unlock your phone is relatively easy to accomplish and seemingly something that most people could learn to do.  So, how safe is Touch ID security?  As a first level, with a PIN acting as a second level of security, it’s very secure.  But if you’re using just your fingerprint, you may be missing something.

Senator Al Franken pointed out in his critic of the iPhone 5s security that, “Passwords are secret and dynamic; fingerprints are public and permanent,” Franken wrote. “If you don’t tell anyone your password, no one will know what it is. If someone hacks your password, you can change it — as many times as you want. You can’t change your fingerprints. You have only ten of them. And you leave them on everything you touch; they are definitely not a secret. What’s more, a password doesn’t uniquely identify its owner — a fingerprint does. Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.”

The other issue of using a fingerprint as sole security authentication is a legal one.  This article on HITB Sec News brings up the legal effects of moving from PINs to fingerprints.  As they point out, the Fifth Amendment may not protect a person “when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).”

As much as it may be a pain to continue using a PIN for security, it may be the best option… at least for today.  As always, we’re anxious to see what tomorrow brings.