Fingerprint sensor in iPhone 5S is no silver bullet, researchers say

The technology would be most efficient if used as part of a two-factor authentication system, not alone

The fingerprint sensor in Apple's new iPhone 5S has the potential to enhance the security of the device, but the devil will be in the details.

Its effectiveness will depend on the strength of the implementation and whether it's used in conjunction with other security credentials, researchers said.

Apple unveiled two new iPhone models Tuesday, the iPhone 5C and iPhone 5S, the latter of which has a fingerprint sensor dubbed Touch ID built into the home button. The sensor will allow users to use their fingerprints instead of a password to unlock the device and make purchases on iTunes.

It's not clear if the feature will also be used in other scenarios that have yet to be revealed or if third-party applications will also be able to use it to authenticate users.

In presenting the technology Tuesday, Apple said the fingerprint data is encrypted and locked in the device's new A7 chip, that it's never directly accessible to software and that it's not stored on Apple's servers or backed up to iCloud.

Fingerprint scanners have historically been susceptible to errors and replay attacks that involve stealing fingerprints and using them to trick the scanners by employing a variety of techniques.

According to Apple, Touch ID scans sub-epidermal skin layers, has a 500-ppi resolution and can recognize fingerprints at any rotation. But how well it will resist attempts by security researchers to bypass it remains to be seen.

"Common attacks against fingerprint readers include using photos of fingers or creating fingerprint molds based on captured prints," said Dirk Sigurdson, director of engineering for the Mobilisafe mobile risk management technology at security firm Rapid7, via email. "Hopefully the iPhone sensor will have strong protections against using copied fingers."

Fingerprint technology is not a high-security feature, said Marc Rogers, principal security researcher at mobile security firm Lookout. That's why most military installations, for example, use hand geometry or retina scanners instead, he said.

"It is possible to copy a fingerprint and I think that as the technology sees wider usage, the techniques of copying fingerprints will only improve," the researcher said. However, a fingerprint is still better and more convenient than a four-digit PIN, he said.

The best single factor of authentication is a strong password stored only in the user's brain, but it's inherently difficult for people to create and remember strong passwords, Sigurdson said. This often results in bad passwords being used, so a good fingerprint reader and matching algorithm will likely improve the security of iOS devices, he said.

Many people probably don't even set a PIN because it's inconvenient to enter it every time, so a fingerprint gives them the opportunity to secure their device in a way that's better than nothing, Rogers said.

Research suggests as many as half of users never set up a four-digit PIN or a more complex password to lock their devices, Apple said during its presentation.

Rogers believes fingerprints could add great security if they're used in conjunction with other security credentials as part of two-factor authentication.

For example, Apple could allow users to set a strong, complex password that's used to encrypt the file system and which would need to be entered only when the device is switched on. The user's fingerprint could then be used as a medium-strength access credential to unlock the device when it's on and needs to be used. This would provide both security and convenience for users, Rogers said.

In addition, if Apple would allow other applications on the device to use the fingerprint sensor, it could increase the security of those applications. For example, a banking application could require users to authorize transactions by scanning their fingerprints, limiting what attackers can do if they steal those users' log-in passwords, he said.

Overall, the sensor has the potential to increase the security of the device, but it depends on implementation and whether consumers will actually use it, Christopher Pogue, director of security vendor Trustwave's SpiderLabs security research team, said via email. "It is key that consumers can easily understand how to use the sensor."

Like Rogers, Pogue believes that fingerprints would be most valuable if used as part of a two-factor authentication system.

"Like anything else that runs on a mobile device, the scanner itself is an application that interfaces with the underlying operating system and like other applications, regardless of function, there are vulnerabilities that exist due to a multitude of factors," Pogue said. "This application will likely be no different, and exploits will certainly be forthcoming if not already here."

Unlike a password, a fingerprint is not something a person can forget or share with someone else, so in that regard it provides stronger access control than a password, Pogue said. However, there has to be a failsafe mechanism to prevent the device owner from being locked out in case his fingerprint is modified as a result of an injury, for example, he said. "It's this 'back door' access that, if present, would likely lead to unforeseen security vulnerabilities."

Security best practices indicate that access control should always use at least two factors: "something you know," like a password or PIN; "something you have," like a physical token device; or "something you are," like a biometric feature, including fingerprints, Pogue said. Adding an additional layer of defense makes unauthorized access to the device through that mechanism exponentially more difficult, he said.

The goal should always be to raise the bar for attackers and, keeping that in mind, if the fingerprint sensor would be used as part of a two-factor authentication system, it would greatly enhance security, Rogers said.

However, Rogers and Pogue had different opinions on how useful this feature will be in enterprise environments.

Rogers thinks that if the feature will be made available to third-party developers, enterprises could use it to secure their internal mobile applications and limit the risks resulting from phishing attacks that target employee access credentials.

He also believes that it increases the physical security of devices and could, in conjunction with other technologies like remote device tracking, discourage mobile phone theft, which has become a serious problem in many countries.

Meanwhile, Pogue thinks that the sensor only marginally improves security because there will likely be bypasses for it, and he doubts that enterprises will take advantage of the technology anytime soon.

The FIDO Alliance, an industry group that wants to reduce reliance on passwords, welcomed Apple's inclusion of a fingerprint sensor, but didn't think it would result in widespread adoption of such technology, because its implementation is proprietary.

"Apple's decision to include authentication with the iPhone is a good dose of rocket fuel for the industry," said Michael Barrett, president of the FIDO Alliance. "Though any authentication technology unsupported by standards may take years, if ever, to achieve widespread market penetration. The marketplace seeks authentication capabilities that span computer, smartphone, and physical access authentication and federated identity applications. Open industry standards, such as FIDO authentication specifications, are required before we can achieve industry-wide adoption of strong authentication across all platforms."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationstelecommunicationiosiPhonemobileAppleconsumer electronicsFIDO AlliancetrustwaveLookoutsecurityRapid7mobile securitysmartphonesbiometricsAccess control and authenticationMobile OSes

More about AppleRapid7Trustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts