Apple's iPhone 6 fingerprint scanner has a level of accuracy that makes it a solid authentication tool for people planning to use the smartphone in place of a credit card for in-store purchases, research shows.
The scanner called Touch ID was more difficult to fool with a fake fingerprint than the previous version in the iPhone 5s, according to mobile security vendor Lookout. The new scanner's level of accuracy is sufficient for use with Apple Pay, the payment system available in the iPhone 6.
"As it stands, right now, it's a great security measure," Marc Rogers, the Lookout researcher who tested the new iPhone, said Tuesday. "I don't think you'll find street criminals that are able to duplicate fingerprints."
Creating a fake fingerprint capable of tricking the new scanner requires a high-level of skill, patience and over a thousand dollars worth of equipment. A description of the lengthy process is on the Lookout blog.
Rogers found that the latest Touch ID scanned a much wider area of the fingerprint to improve reliability and used a higher resolution in identifying a print more accurately.
A fake fingerprint would most likely be used in a targeted attack against an individual, provided the criminal could get a well-defined fingerprint of the digit the person uses with Touch ID. Such a print would unlikely be available on the phone's touchscreen.
Experts who read Rogers' blog said the research added credence to the argument that the use of Apple Pay is safer than handing a stranger at a restaurant or store a debit or credit card.
"The consumer is currently accepting a horribly insecure system with general credit cards," Tyler Shields, analyst for Forrester Research, said. "I believe that Touch ID is a great addition to mobile payments regardless of the recent research."
Indeed, the insecurity of credit cards has been highlighted in the theft of 10s of millions of payment card numbers from retailer Target last year and Home Depot this year.
Apple Pay uses a near-field communication (NFC) transmitter to send payment data to a store reader. The actual credit card number is never sent. Instead, the phone transmits a payment token that is a representation of the actual number.
Touch ID is used for authentication before the payment is sent.
Along with the improvements in the scanner, Rogers would like to see Apple bolster security in other areas.
Currently, a person gets six tries with Touch ID to unlock a phone. On the seventh, the user will have to enter his passcode.
Rogers would like Apple to let the iPhone owner decide how many tries to unlock the phone. Choosing a smaller number would strengthen security.
Also, Rogers wants Apple to incorporate in Touch ID technology that would no longer make it possible to fool the scanner with a fake fingerprint, no matter how high the quality.
Rogers said Apple obtained such technology in the 2012 acquisition of AuthenTec, a maker of fingerprint sensors for mobile phones and other portable electronics.
"My guess is it (the technology) was either too expensive or too cumbersome to put into the iPhone, so Apple didn't use it," Rogers said.