Apple strengthens user protection in their new flagship smartphone meaning biometric identification might finally go mainstream. Is it good or bad, and what are the potential consequences?
First, we’ll try to calm all conspiracy theorists: it doesn’t seem that Apple introduced biometric ID just to please their NSA friends and collect the fingerprints of taxpayers for the feds. Apple stated that fingerprints are stored in a specially produced derived form (i.e. not photos) and always kept locally, never getting transmitted to the Net. In addition, fingerprints and Touch ID scanners are unavailable to third-party apps; only iOS can use it. So, what can be protected with all these restrictions?
Quite a bit can. Most obviously, it’s much easier for legitimate owners to unlock their smartphones. All it takes is a simple Home button press, and an embedded capacitive sensor will instantly recognize the fingerprint, granting access to the person on the “white list.” Unauthorized persons or owners in gloves will see a message saying it’s impossible to recognize this fingerprint. In this case, they would have to type an alphanumerical backup password. In addition to people wearing gloves, technology might fail in cold weather, when hands are wet or covered with lotion, scarred or burnt. That’s why it’s still important to memorize a password since it might come handy quite often.
Owners will be obliged to pass a Touch ID check when approving iTunes or App Store purchases and in other situations, when iOS normally asks for a password. We suggest enrolling multiple fingers from both hands to increase convenience.
Of course it’s very interesting to wonder if new protection mechanisms are robust and secure enough. As we previously mentioned, biometric sensors are imperfect. To implement Touch ID, Apple bought Authentec, a specialized company with quite interesting biometric technology developments. The scanner reads not only dermal ridges, but sub-epidermal layers of the skin as well, which makes fingerprint forgery much more complicated. The new sensor probably has some vulnerabilities that will be discovered by curious hackers when 5S becomes mainstream. However, we have no information about such vulnerabilities or their mere existence at this point.
Update: Just two days after sales started, hackers from Germany-based Chaos Computer Club published a blogpost regarding an easy and cheap 5S sensor hack. They claim, that the iPhone fingerprint scanner is no different from previous models, but it has a higher resolution. Thus it’s very easy to pick up a fingerprint from any surface and forge it using latex.
It’s not easy to choose between familiar pin lock and novel fingerprint protection. Pin codes are easier to snoop and it takes more time to type them. Fingerprints are harder to forge and easier to use, but someone who desperately needs your data may just force you to touch your smartphone with the right finger. Of course, this scenario is more appropriate for a Hollywood action movie, not real life, but if you’re in possession of really valuable information you have to consider this and possibly avoid storing that information on your smartphone.
When talking about “ordinary people,” it seems they shouldn’t be afraid of Apple’s new technology for now. However, there is a speculation the next step for Apple will be an own payment system with biometrics serving as a primary authentication for purchase approval. In this case, fingerprint transmission over the network seems to be inevitable, and this gives hackers very good reason to develop an attack targeted at a mainstream audience. So if you’re worried about your fingerprints falling into wrong hands, re-consider using Apple biometrics when you hear about payment systems or any other ecosystem development, which might be based on extended fingerprints usage.