Apple’s recently released iPhone 5S has brought biometrics-based authentication into the mainstream. One of the new high-end smartphone’s distinctive features is its Touch ID fingerprint scanner contained in the device’s home button. After powering-on the iPhone’s display, users can simply rest a finger on the button and the operating system unlocks itself if it recognizes the print.
Why Touch ID could improve mobile device authentication
Ideally, Touch ID is a forward-looking, ironclad authentication mechanism that obviates the need for PINs and passcodes on mobile devices. In addition to being subject to possible brute-force hacking or guesswork, a PIN is just another password to be remembered, and it is time-consuming to input. If security is set up, the iPhone requires the PIN be entered each time the user wakes the screen from sleep, which can be dozens of a time a day.
The hassle has caught up to users. In a blog post for The New York Times, David Pogue stated that half of iPhone users do not use a PIN, despite the obvious risks that such a practice invites in the form of pilfered devices and stolen identities.
Accordingly, Touch ID is meant to perform the double feat of improving mobile security while also making it less annoying. The logic would seem to go: a person cannot forget his/her fingerprint and does not have to enter it as a string of characters. A simple half second touch and hold makes authentication quick and painless, not to mention less susceptible to some traditional hacking methods.
Touch ID and privacy implications
Moreover, tying online identity to something as intrinsic as a fingerprint would create firmer linkage between persons and their increasingly true-to-life personae on social networks – for better or worse.
Writing for the Pacific Standard, Kyle Chayka highlighted how the iPhone 5S sensor is the high watermark in the push toward eliminating anonymity both on computing devices and online. With fingerprints replacing usernames or passwords, users may feel more at ease, knowing that no one else technically has the credential to access their accounts, and that their peers are who they say they are.
“The disconnect between the physical you and digital you is hard to compensate for,” said miiCard CEO James Varga. “As an industry born of privacy and pseudonyms, [the Internet] suffers from a fundamental lack of trust.”
Biometrics-based authentication could improve trust. However, the harvesting of so much personally identifiable information by technology companies could create irresistible opportunities to sell it and target more ads against it. Although Apple, unlike competitor Google, does not run an advertising business, its foray into biometrics may trigger a deluge of similar services.
German hackers demonstrate possible weaknesses in Touch ID
Possibly adverse privacy implications aside, Touch ID, and biometrics at large, may not be a silver bullet in terms of security, either.
A group of German hackers recently provided video proof that they had found a way to bypass the new iPhone 5S feature. According to The Guardian’s Charles Arthur, the hackers used an elaborate process that began with lifting a high-quality print, typically from a doorknob or glass pane.
Biometrics skeptics, including security expert Graham Cluley, have cited the ubiquity of liftable fingerprints – a person may leave hundreds or thousands of them on doors and windows throughout the day – as a fatal flaw in tools like Touch ID.
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake,” lead hacker Starbug wrote in a blog post on the issue. “As we have said now for many years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
Doubts surround feasibility, implications of Touch ID hack
To be fair, the hackers’ process required a considerable deal of extra work and craftsmanship to make the prints usable. Graphite powder, high-resolution photography and the creation of a usable relief were all prerequisites for fooling the Touch ID sensor.
Lookout’s Marc Rogers, who conducted his own separate successful attack on Touch ID, dismissed the current security concerns, stating that they required an enormous level of forensic expertise and dedicated effort. 9to5Mac contributor Ben Lovejoy stated that Starbug’s attack took 30 hours, despite the hacker’s expertise, and that current techniques would make it unfeasible for iPhone thieves to thwart Touch ID in the wild.
“Practically, an attack is still a little bit in the realm of a John le Carré novel,” argued Rogers. “It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before TouchID rejects all fingerprints, requiring a PIN code to unlock it.”
Touch ID and the importance of storing sensitive data locally
Ultimately, Touch ID is about security and simplicity in a single package. To achieve that lofty goal, Touch ID bucks the trend of storing credentials on a server, eliminating the surface for sophisticated Web attacks and outlining a new way forward for mobile security. More specifically, it raises the question of whether locally stored credentials improve security and privacy for users.
Arthur pointed out that despite the successes of Starbug and Rogers, the actual fingerprint data in the iPhone 5S remained safe on a secure chip. The error was with the sensor’s parsing of an imitation. As such, the sturdiness of Touch ID’s security may be a feather in the cap for local data storage, which while not scalable in the same way as cloud-based alternatives may be better equipped against attack.
Since Touch ID may eventually move beyond device-level authentication and into the commercial realm, it will be important for developers and Apple itself to ensure that user credentials and biometrics are protected.
“[Fingerprint purchasing] sounds like a simple idea, but how many places could that become a bad idea because you failed to execute on it?,” asked Apple vice president Craig Federighi.
With any luck, this level of awareness of the possible security and privacy issues with Touch ID will guide the cybersecurity community toward a better understanding of how biometrics-based authentication will impact the mobile landscape.
Learn more about BYOD and Consumerization of IT from Trend Micro