Apple's Touch ID may not be bulletproof, but it's still useful

As you've probably heard by now, Apple's Touch ID--the technology behind the iPhone 5s's new fingerprint scanner--was circumvented over the weekend by a group of German security researchers. With little more than the kind of supplies you'd find in the home of your average computer enthusiast, the hackers claim to have fooled the sensor on their brand-new handsets into accepting a fake fingerprint that had been photographed at high resolution, printed out, and transferred to a piece of latex.

If true, this trick appears to cast some serious doubts on just how effective Touch ID is at keeping your information secure from ill-intentioned third parties. But despite those concerns, you shouldn't discount the usefulness of Apple's fingerprint-based security system just yet.

Being, having, and knowing

As I mentioned in an article I wrote for Macworld back in August, the idea behind using fingerprints to unlock your phone is that they tie your data to something that uniquely identifies you in a physical way. Unlike a password, which can be guessed and cracked even if nothing is known about its user, biometric data like fingerprints is generally thought to be impossible to reproduce without having access to the original.

More to the point, fingerprints aren't supposed to replace your passwords so much as work alongside them. The idea is that even if hackers manage to guess your password, they still won't have the finger that goes along with it. Ideally, for added security, you'd even want to couple a fingerprint (something you "are") and a password (something you "know") with a third item that is in your possession, like an access card or a device capable of receiving SMS messages (something you "own").

The problem

From this point of view, then, the protection that Touch ID offers starts to look a bit iffy. As many have already pointed out, given how easily the German researchers were able to fool the iPhone's fingerprint sensor, it would be trivial for a thief who has physical access to your surroundings to take a picture of your prints and use them to unlock your phone. (Incidentally, if you're worried about leaving usable fingerprints right on your phone itself, one suggestion is registering a seldom-used finger, like your pinkie, to minimize the risk).

This scenario, however, has a few flaws for all but a relatively small portion of users. For one thing, even if a would-be thief could unlock your phone with a fake fingerprint, they would also have to get their hands on your iPhone for long enough to siphon all its information out, or, at the very least, for as long as it takes to change your iCloud password so that they could try to gain access to your backups, calendars, and e-mail accounts. This is not as simple as it sounds--at least, as long as the thieves aren't are known to the phone owner.

In addition, if you are like most of the people I know, your iPhone is never far away from your hands and pockets, and you would likely notice its absence in short order--at which point, if you're worried about your information, you will run for the nearest computer and use Find My Phone to disable your device, pronto.

Obviously, this doesn't protect your from, say, a jealous spouse or a determined private investigator; outside of Hollywood fiction, however, those people usually have easier means to gain access to potentially incriminating information--like, say, accessing your home computer after you've gone to work or simply calling up your cellular company and talking a customer support into faxing them a copy of your last bill.

Focus on the good, not the bad

In real life, the only people who worry about these kinds of data theft are likely to be too sophisticated and security-conscious to use Touch ID in the first place. And, if they aren't, their digital lives probably have plenty more vulnerabilities that are easier to exploit than playing arts-and-crafts, Mission: Impossible style.

Touch ID was built for the rest of us--people who have fewer skeletons in their closet, but who are still vulnerable to enemies born out of opportunity. According to many statistics, tens of thousands of iPhones are stolen every year across North America. From the thieves' point of view, snatching a smartphone in the street is easy, low in risk, and potentially very rewarding: you end up with a valuable piece of electronics--and, if the phone isn't locked, you also get a peek at enough of a person's information to do some serious damage. (And iOS 7's Activation Lock can at least make it harder for a thief to wipe and resell your phone.)

Passcodes are a good solution to this problem, but they are also inconvenient--so much so that, according to a recent McAfee survey, less than one third of users actually enable them. Touch ID, on the other hand, is very convenient, and its futuristic appeal makes it fun to use, which means that a large number of users may, for the first time, actually protect their data with some level of security.

Marketing gone awry

Ultimately, Apple's marketing has done a poor job of explaining Touch ID to the public. Instead of promoting it as an alternative to passcodes, Apple would have probably been better served by selling it as an alternative to, well, nothing, which is what the vast majority of users have chosen as their data protection mechanism of choice.

In practice, Touch ID is safe enough to use for most of us--perhaps not as good as a fifteen-character password, but probably better than a four-digit passcode, and certainly much better than nothing at all.

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleiphone 5ssecuritybiometric security

More about AppleMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Marco Tabini

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts