The iPhone 5s fingerprint reader: what you need to know

So Apple has announced that it's building a fingerprint reader into its new flagship smartphone, the iPhone 5s, calling that technology Touch ID. Here's what you need to know about it.

How does Apple's Touch ID fingerprint sensor work?

There are a few different fingerprint-sensor technologies out there, with optical and capacitance readers being the most common.

Optical readers take a picture of your fingerprint with a digital camera. Apple chose a capacitance reader, which is far more interesting.

A capacitance fingerprint reader leverages a handy property of your skin: The outer layer of your skin (your dermis), where your fingerprint is, is non-conductive, while the subdermal layer behind it is conductive. When you touch the iPhone's fingerprint sensor, it measures the minuscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image..

Apple embedded this sensor in the Home button, and added a ring to turn it on and help reduce signal errors. I suspect that the ring also adds a little current to your finger to help boost and clean the signal.

It appears to be a great design. Most other portable readers I've used in the past were optical, which is easier to fool (sometimes a good photocopy will work), easier to break, and more prone to error (thanks to smudged glass and other factors).

Does my iPhone store my fingerprint?

Apple says no, and here is what I think is going on. Typically, your fingerprint is scanned and run through a mathematical algorithm that creates a fingerprint template. This template is a representation of part of your fingerprint; it isn't a stored image.

Better yet, most advanced systems run this template through a cryptographic hashing algorithm, as they do for passcodes, and store that result. To add even more security, during hashing it is combined with a unique or random number to make recovery even harder. Since your iPhone already does this with your passcodes (using a special device ID embedded in your hardware), I suspect Apple uses the same process for your fingerprint template.

Every time you scan your fingerprint, the phone runs through the same algorithmic process and the result is compared with the stored hash. Not only is your actual fingerprint not stored, but it's likely really hard or impossible to recover even if the NSA gets your phone.

I'm assuming a few things here, but they're educated assumptions based on how Apple manages passcodes today.

Is a fingerprint more secure than a passcode?

Fingerprints are both more and less secure than passcodes. A fingerprint is more secure since it is effectively impossible to guess. It can be less secure since, if someone steals it once, they steal it for life.

It also depends on how the fingerprint is stored. If the template is large (as in longer than any passcode you would ever care to remember), and properly hashed, salted, and stored, it is definitely more secure than a passcode (until a S.H.I.E.L.D. agent lifts it off your vodka martini glass at that casino in Morocco).

Finally, both passcodes and fingerprints are still forms of single-factor authentication. That means you only need one thing to break into the system. Really secure systems require multiple factors, such as a passcode and a fingerprint.

Does this mean I don't need iOS passcodes anymore?

No, passcodes are still here to stay. For one thing, you need a way back into your iPhone if you lose a finger (or cut it in the wrong spot) or break the sensor. But, effectively, you won't need to use your passcode day to day. We'll have to see how Apple handles alternate recovery options; I suspect you will still use a recovery passcode.

Corporate users may also still be required to use passcodes, and people who might be targets of fingerprint theft (remember, the Department of Defense uses iPhones now) probably don't want to rely only on passcodes.

What about my iCloud and iTunes Store passwords?

Because you access Apple's cloud services from multiple systems, not all of which have fingerprint sensors, you will still need passwords for them. However, based on what Apple has said and shown, you can use your fingerprint to authenticate purchases and actions from your iPhone 5s. Odds are that Apple will store your iCloud and iTunes Store passwords in your iPhone keychain, then use your fingerprint to authorize access to them. This is similar to how OS X and iOS have always handled stored passwords. It is also consistent with Apple's emphasis that your fingerprint never leaves your device, and isn't stored in the cloud.

Can other apps and services use my fingerprint?

Apple has stated that other apps will be able to use Touch ID, but also that said apps will never access your fingerprint. Again, I think these apps will probably use the iOS Keychain. Apple may also open up the API to allow apps to access the Touch ID sensor itself, or, more likely, to have iOS authenticate you and pass along the result. Finally, many apps and services, such as Twitter, use a standard called OAuth to allow access without exposing your username and passcode on the device. This won't change, but perhaps there will be a new API call so such apps can check to see if you unlocked the phone, and it wasn't merely laying around for someone to access.

Why is this so exciting?

There are two reasons this is so exciting. First, this now means you won't have to enter your passcode before you can do simple things like texting. As Apple has said, only about half of iPhone users use a passcode at all, and I suspect most of them use a simple four digit PIN. Your fingerprint is a far more secure option, and putting the reader right in the home button makes it more convenient than swiping your phone to unlock it.

It is yet another example of Apple making security invisible. Over the next few years I think it is safe to say that most iDevices will include a Touch ID sensor, placing strong security into everyone's hands.

But take this a step further. Although a fingerprint alone isn't necessarily more secure than a passcode, combining a fingerprint and a security token counts as strong authentication. Some of you already use your iPhone as a security token with your bank or services like Dropbox or Google Authenticator that send one-time codes to the phone registered with your account.

Now all those services could eventually have the option (depending on Apple) of using both your fingerprint and your device to authenticate you. Apple may be placing strong, biometrics-enabled authentication in the hands of masses of consumers. During Apple's announcement, the company clearly stated that it considers phones to be keys, which indicates it's heading down the path of making your phone, and your fingerprint, the keys to your digital life.

And perhaps your physical life, too, as door locks, home alarms, payment cards, payment systems like Passbook, and other codes and credentials are stored on your phone and made accessible using everything from WiFi and LTE to short-range Bluetooth protocols. Touch ID could be game-changing in the long run, and I'd expect other phone manufacturers to follow that same path, to the point that unlocking your phone with your fingerprint to access online and real world services will someday seem entirely normal.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicsApple PhonessecuritysmartphonesiPhone2013 iPhone eventbiometric security

More about AppleDropboxGoogleNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rich Mogull

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place