iPhone 5s fingerprint scanner could be mobile security game changer

Apple could be the one to make fingerprint authentication mainstream

On Friday the iPhone 5s will be out on the street, and with it, Apple's fingerprint scanning technology. There are still some concerns about how Apple is implementing and managing fingerprint authentication, but as long as the iPhone 5s doesn't fumble completely, the new smartphone could finally spur mainstream adoption of the technology.

As Apple revealed a couple of weeks ago, the home button on the new iPhone 5s is also a fingerprint scanner. Rather than using a passcode, you can now unlock the device just by holding your finger on the home button.

The iPhone 5s isn't the first mobile device with a fingerprint scanner. The Motorola Atrix included fingerprint authentication back in 2011. Apparently, even Motorola forgot about the Atrix, though, because it had the audacity to send out a tweet slamming the idea of using a fingerprint with a mobile device.

Paul Henry, security and forensic analyst at Lumension believes that the iPhone 5s fingerprint authentication could prove to be a game changer. "There are two factors that will determine the real success of this new feature, which has undeniable potential," he says. "First, reliability and second, security--though as a security researcher, I have to say it should really be security first."

Is it secure?

There are questions about how Apple is scanning and storing the fingerprint data. If someone guesses or compromises your passcode, you can just change it to a new one. But, you can't change your fingerprints. Some worry that a thief can simply use an image or picture of your fingerprint gain access to a user's iPhone, the same way Android's facial recognition authentication can be fooled with a picture of the device owner. It wouldn't be hard to get your fingerprint--your iPhone will likely be covered with dozens of samples.

Macworld contributor Rich Mogull does an excellent job explaining why that probably isn't an issue. In a nutshell, Apple is using capacitive scanning that looks at more than just the image of your fingerprint, and it's most likely not storing the actual fingerprint anywhere on the iPhone where it might be compromised.

Mogull hypothesizes that Apple is probably analyzing the fingerprint and using unique data from it to generate a mathematical representation or template. By this logic, when you touch the home button, your fingerprint is run through the algorithm again, and the results are compared to the template to ensure they match. These are educated guesses, though, and the actual implementation may work differently.

"What we need to know is how good a job did Apple actually do securing the biometric data," Henry says. "They say it's encrypted and not shared with other applications, but we'll have to wait and see how it works in practice."

Henry also has some concerns about just how much access someone gets if the fingerprint authentication is bypassed or compromised. "If a single fingerprint grants access to other services (particularly iCloud), that's a frightening prospect if Apple hasn't done a truly expert job at securing that local credential," he says.

Should you use it?

Dwayne Melancon, CTO for Tripwire, says, "In general, multifactor authentication is a good idea and biometrics, in particular, are good as long as they work properly. Early reports of Apple's biometric implementation are promising, and even if there is some rate of false identification, this approach is still more secure than a four-digit PIN."

One crucial thing for IT admins to understand is how device access works in the event that the fingerprint scanner is not an option. What if a user breaks their finger and it's in a cast, or the home button fingerprint sensor malfunctions?

"From an enterprise perspective, I would wait until the security of this implementation of fingerprint scanning has been tested 'in real life' before adopting it broadly," Melancon cautions.

Making it mainstream

Biometric security is nothing new, but it has yet to really catch on as a mainstream method of authentication. The password or passcode remains king. Apple has a huge market presence, though, and the iOS ecosystem commands a great deal of respect. If the iPhone 5s fingerprint scanner lives up to expectations, this could be the tipping point that turns it into the new default standard.

If Apple stumbles or falls on its face, though, it could set biometric security back a few years. If there are too many false negatives or false positives, or it turns out that the fingerprint data isn't stored as securely as it should be, or there are other problems with the fingerprint scanner, it will tarnish the reputation of biometrics with average users, and it will take a long time to recover.

Join the CSO newsletter!

Error: Please check your email address.

Tags Business mobilityAppleiphone 5ssecuritymobile securitybiometric security

More about AppleLumensionMotorolaTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts