The scary side of Touch ID

In this, the inaugural Private i column, I want to freak you out just a little bit. In the coming weeks, this column will help Mac and iOS users understand the implications of the latest security exploits, privacy hacks, and encryption options, and how to protect themselves or take advantage of them, as the case may be.

But I want to start with Touch ID and why it's a technology that needs more discussion as its use as an identity validation has broadened to other apps in iOS 8.

Fingerprint-based identification isn't new, nor are biometric markers for authentication, like scanning one's optic nerve or handprint or blood-vessel pattern or the like. They're the thing of sci-fi movies made thoroughly real, routine, and boring with modern technology. Prior to the addition of Touch ID to the iPhone 5s, however, the fast majority of biometric ID was at fixed locations, like the entrance to a secure facility or even at my children's after-school care program, where my fingerprint read by a USB-connected reader let me check them out from a Windows PC.

Some Android phones and other mobile devices had fingerprint sensors, and they have been built in or available as an add-on to laptops and desktops for years. In some industries, it was common. But the portable use was likely routinely in the millions, and often among those in particular industries. The iPhone 5s, 6, and 6 Plus, and devices from other makers will push usage past tens of millions today into the hundreds of millions. The convenience can't be beat.

But here's the thing. Someone might be able to coerce a password from you with a wrench, as in this xkcd cartoon or under the threat of a lawsuit, imprisonment, expulsion (from a school or country), death, or other means. But it still requires that threat and your acquiescence. If the information that would be revealed is too private, personal, or damaging, you might persist through whatever civil, criminal, or violent process and never give it up.

Mobile fingerprint sensors change that equation dramatically. Instead of nonphysical or physical intimidiation or violence--whether for a good cause or ill--an individual or agent of others who want some of your information must only get ahold of your device, ensure it hasn't been rebooted, and then be able to hold an appropriate digit still for long enough to validate one's fingerprint. And you have to be alive, not necesarily cooperative, for Touch ID to work, because as Apple said at the iPhone 5s launch, the sensor uses conductivity to scan a "touch" subdermally.

Again, none of this is new as such. What has changed are two factors: first, as I noted, this fingerprint-based unlocking is about to extent out by an order of magnitude or even higher factors; second, iOS 8 leverages Touch ID to allow it to be used with other apps.

I've now upgraded and tested out AgileBits's 1Password 5 for iOS and Panic Software's Transmit iOS, both of which have Touch ID authentication options. I'm a big fan of both apps because of their use of extensions. I can bring up 1Password in Safari through Share and in other apps that have direct support, including Transmit iOS. (Other do as well and more are coming.) Transmit lets me save (via Share) and open (via Document Picker) to and from file servers.

Here's a scenario I'm already commonly carrying out. I tap my Home button, then use Touch ID to unlock. I tap the Photos app, select an image, and tap Share. I select Transmit and unlock it with Touch ID and upload. Or I want to add a server in Transmit, I touch to unlock my phone, touch to unlock Transmit, use the process to add a connection and tap to use 1Password, and touch to unlock it. It's very convenient.

But as I touch, touch, touch, I think about about Hong Kong and mainland China; about Afghanstan and Iraq; about Ferguson, Missouri, and police overreach and misconduct; and extrajudicial American operations abroad and domestic warrantless procedures and hearings about which we know few details. I think about the rate of domestic violence in this country.

Touch ID is a bit of magic, yes. Since an iOS update not long after it first appeared on shipping hardware, I've had few problems with it. But as a nonconsensual method of validating your identity wherever you're carrying a device, coupled with software that likewise recognizes it, Touch ID requires a bit more thought than just registering your fingerprints.

Glenn Fleishman is the editor and publisher of The Magazine, a regular contributor to Boing Boing and the Economist, and a senior contributor to Macworld.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurityprivacy

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place