Does the iPhone 5S Fingerprint Sensor Make it More Secure?
Apple says it promotes security, but experts aren't quite so sure.
Sept. 11, 2013 -- After about a month of speculation, Phil Schiller, Apple's VP of marketing, announced Tuesday that the iPhone 5S would come equipped with a fingerprint sensor. Officially called Touch ID, the sensor and its software will let users access their iPhone and iTunes account via thumbprint. But will Touch ID actually make iPhones more secure?
"So much of our personal lives are on these devices. ... We have to protect them," said Schiller. The fingerprint sensor was a security measure that Apple installed, possibly in reaction to the fact that over half of iPhone users don't use a passcode. "Some people find [passcodes] too cumbersome," Schiller added.
Fingerprint readers themselves aren't a new invention, but they never quite made it into the mainstream. Anil Jain, a University Distinguished Professor of Computer Science at Michigan State University, said several other companies have tried to take advantage of the fingerprint as an unlocking device. "There have been laptops, USB sticks, car doors, hotel locks, and even Disney World tickets that have used fingerprints," he told ABC News. "But nothing's really taken off."
Perhaps one of the reasons why fingerprint scanners haven't found their footing in the marketplace is because they can be finicky. "You can't place your finger in any direction and then expect the fingerprint matching algorithm to accept it," said Jain. The state of your finger also matters, he added, noting that a dry finger may scan differently than a wet one or a lotioned one.
A fingerprint reader that doesn't work reliably can add to a user's frustration. It could be just as off-putting as mistyping a password. We didn't find that sort of fustration in our short time testing out the iPhone 5S' sensor. After registering a print it logged us in almost instantly and when another tried to unlock it with their thumb an error message read "try again."
But other security experts worry that a misread fingerprint might be the least of theworries, especially in regards to a device as ubiquitous as an iPhone.
"One security measure does not mean that the device is secure or that the applications on the device are secure," said Scott Matsumoto, principal consultant for the software security firm Cigital. "There's no one thing you can do that says, '*POOF*, you're secure!' Security is built up from a lot of small things."
Apple keeps its record of the fingerprint confined to the iPhone and not on an external server. However, Matsumoto said that users should be careful because the iPhone is both storing and validating a user's fingerprint in the same place. "The way that it's stored is very insecure," he said. "How do you change a fingerprint if it gets compromised? It's the last thing that I want to happen."
Ann Cavoukian, the Privacy Commissioner of Ontario, Canada, said that an Apple password breach might not be quite so catastrophic, provided that the company takes the right steps. "If Apple were to use biometric encryption, they would not be using the fingerprint itself as the password," she said, "Instead, they would store something meaningless as the password with the fingerprint as the key."
Cavoukian has had success in using biometric encryption in Ontario, particularly with video cameras armed with facial recognition that target gambling addicts and prevent them from trying to sneak into government-sponsored casinos. "I approved of this because the cameras used biometric encryption," she said. "Only the biometric record is retained on file, not the actual face."
If someone broke into an iPhone and stole the device's record of the fingerprint, it wouldn't affect the security of products and services outside of the iPhone. "They wouldn't get the actual fingerprint or ID, just some gibberish," said Cavoukian. Overall, she approves of the sensor. "I think it's a good idea, but the devil's in the details."