English   Deutsch   Русский   中文    

Apple finally gets something right

Oct 08, 2013 by Dave Kearns

Apple’s new iPhone (the 5S model) is equipped with the Touch ID fingerprint reader. Its release just a couple of weeks ago has generated more discussion (and bloviating) about biometrics, fingerprints in particular, than all other fingerprint systems together. Not only that, but it’s forcing me to do something I’ve rarely – if ever – done before: say something nice about Apple.

In the twenty years I’ve been writing and opining about technology I’ve occasionally ranted about Apple, its products, its management and its fans, but for the first time, today, I can say bravo Apple.

Bravo Apple for introducing millions of users to the benefits of biometrics.

There’s been a lot of urban mythology about Touch ID being spread already, so here’s a look at some of the more outrageous claims, and why they are outrageous.

  • The NSA will now have your fingerprints (variations include the CIA, the local police, GCHQ, the DGSE, and the Chinese secret police)
  • Criminals can get your fingerprints and plant them at crime scenes (variation: so can the police)
The iPhone neither sends your fingerprint data to Apple, the Cloud or anywhere else (it’s only stored locally on the phone), nor is there a picture of your fingerprint stored anywhere. Like all portable devices (smart phones, “dumb” phones, tablets, etc.) there are probably latent fingerprints all over the screen and the cover. Anyone in possession of your phone could “lift” these prints for whatever purpose, criminal or benign. But that has nothing to do with the Touch ID function.
  • The iPhone reader is easily hacked; it even works with your cat’s paw!
Germany’s Chaos Computer Club claims to have “…successfully bypassed the biometric security of Apple's Touch ID using easy everyday means.” Everyday means? Here’s how they describe the process:
First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi. Then the image is converted to black & white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi. To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use.
What? You don’t keep “photo-sensitive PCB material” around the house?

As to the “cat’s paw” statement, one user found that he could enroll the cat by swiping its paw on the Touch ID button. You could also enroll just about any ridged surface. And that same ridged surface would be validated and unlock the device when applied subsequently. It’s not that your cat’s paw could be mistaken for your finger!

  • Fingerprint matching is notoriously unreliable
Fingerprint matching is not 100% reliable. The false positives and false negatives, though, are generally proportional to the number of fingerprints being matched to. Take one fingerprint and try to get a match against the millions in the FBI database and there’s a small, but significant, chance of a false match. But take one fingerprint and try to get a match against the one dataset stored on your iPhone and you’ll find it’s almost always accurate. An occasional mis-read because you swiped your finger poorly is hardly the fault of the hardware and software.
  • Fingerprints are a poor replacement for passwords. What happens if they’re compromised? You can’t change your fingerprint
This is a fallacious argument because in addition to having ten fingers (which can be used in multiple combinations, millions of them in fact) the algorithm used to transform your fingerprint data into a private key could also be changed rendering millions more possibilities. But I will partially agree with this. Biometrics shouldn’t be used to replace passwords. Instead, they should be used to replace usernames.

Usernames need to be unique. While there’s no specific proof that fingerprints (or iris scans or heart waves) are unique, it’s easy enough in any particular namespace to ensure that the biometric is unique at the time of enrollment by comparison to those already enrolled (just as Gmail, for example, tells you that “dkearns is already in use. Would you like to be dkearns1043?”). Also, in the 150 years or so that we’ve been using fingerprints for identification there’s never been a proven instance of two sets being alike. I think we can safely say there’s a Theory of Unique Fingerprints, at least until someone can refute the theory.

In the past I’ve suggested that an email address (which does have to be unique throughout the internet) makes an ideal username. But it’s ridiculously easy to know (or guess) someone’s email address. Standard usernames (first initial and seven letters of last name, for example) are frequently the part of the email address to the left of the “@,” so again, easily guessed. But you can’t guess a fingerprint. You can’t discover it through social engineering, either. It can be collected, but despite what the Chaos Computer Club says, that’s not particularly easy for the average person (e.g., one who could guess your username or email).

For unlocking your iPhone, a swipe of your finger is “secure enough” for most situations. But if Apple wants to also use the finger swipe to authorize access to apps (or “outside the phone” data), then coupling the swipe with a PIN, password or pass phrase makes a lot of sense. It’s not absolutely secure, but it is strong enough for the average user, their average device and the average data they need to access. Even if someone has stolen (or hacked) your password, they still need to re-create your fingerprint. Not at all easy, as we’ve seen. Fear not, swipe away!


Author info

Dave Kearns
Senior Analyst
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
RTSI asnd Future SOC
Statistics show that most data breaches are detected by agents outside of the organization rather than internal security tools. Real Time Security Intelligence (RTSI) seeks to remedy this.
KuppingerCole CLASS
Trusted Independent Advice in CLoud ASSurance including a detailed analysis of the Cloud Assurance management tasks in your company.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole