Smashing through the media hype: iPhone 5s fingerprint reader not really “less secure” or “hacked”
This morning the media fear machine is swirling with the news that the iPhone 5s fingerprint reader has been “hacked” by taking a high resolution image of the user’s prints. Before we go any further, watch the video above.
The group simply called “CCC” describes the process as being simple enough to do with household material, then goes on to say in the next sentence that “the fingerprint of the enrolled user [needs to be] photographed with 2400 dpi resolution.”
For those of you following at home, taking a 2400DPI image of a fingerprint is not exactly a simple task and will require quite a bit of digital cleanup before it can be used, as per the how-to walk though. If you read through the process, it’s a long, slow process that your average thief would not likely have the time or motivation to undergo.
I’ll agree that no fingerprint scanner is perfect and I would’ve been surprised if something like this didn’t emerge at some point. Almost every single one in the past has been compromised previously with a similar technique but the principle of basic security through a fingerprint scanner is sound, especially when you consider the implications of how widespread it could become.
With Apple making a fingerprint reader so easy to use and accessible to the masses, I don’t think a “hack” like this matters. There is a point where security needs to be traded off for simplicity for users to adopt it.
In my experience working in corporate IT, PIN access is somewhat slow and a barrier to getting things done so many users choose to just not have any security at all on their devices. When I’ve enforced a company policy of requiring a PIN on user devices there has been uproar from those claiming it’s an annoyance. There are many flaws to using PIN access – just as there are a fingerprint scanner – such as others shoulder surfing to get your code or recording you entering it.
The iPhone 5s is the first mobile device to make fingerprint access quick, reliable and simple enough that the masses will use it without hesitation. So much so that there’s really no excuse to not have it enabled on your phone anymore.
Touch ID makes security so transparent and magical that takes away the barrier to what everyone really wants to do: use their phone.
To be clear, the goal of Touch ID is not to be unhackable. The goal is to get more consumers to move from no security at all to some security.
Remember that touch ID does not store your fingerprint in any way, just the mathematical hash of it so it’s never transmitted back to Apple or the NSA as I’ve seen many people circulating on the internet. The largest problem Apple is going to have with touch ID adoption is the media hype and paranoia surrounding mass surveillance that is ever present at the moment. Perhaps the timing could have been better.
All this said, I do think Apple should consider some sort of two-factor alternative of a fingerprint and a PIN as an option for those needing further security, but I think touch ID goes far enough that it’s more secure than a PIN based on sheer simplicity.
In my opinion, if you have people going to the lengths required to fool the iPhone 5s scanner and get into your device there are bigger problems on your hands. If you have sensitive documents on your phone that could endanger the world if they fell into the wrong hands perhaps you should reconsider storing those on a phone.
There is a simple flaw with all fingerprint based technology that leaving fingerprints behind is a fact of life and thus they shouldn’t be used for purchases (which I agree with until the technology gets better) but for access to a mobile device I believe they’re sufficiently difficult to recreate that it’s realistic enough to use them.
Every security mechanism has flaws, but for protecting you from friends making a Facebook update on your device or the average thief who steals it, touch ID is more than enough. The technology will get better with time, so I wouldn’t count fingerprint readers out just yet.
Apple is bringing robust authentication to the masses on mobile devices and I think it’s good enough for now.