Apple’s Fingerprinting Helps Security, But It’s Not EnoughWritten by Frank Hayes
Apple (NASDAQ:AAPL) has discovered the fingerprint. OK, Apple actually discovered the fingerprint in 2008, when it began filing patents for biometric security. But after five years and the acquisition of biometric authentication vendor AuthenTec, on Tuesday (Sept. 10) Apple finally unveiled an iPhone that can be unlocked with a fingerprint. Very impressive, and something Apple views as crucial for its eventual foray into mobile payments. The only problem? It’s really not enough.
That’s not a knock against AuthenTec or Apple. There’s a fundamental problem with all fingerprint-based authentication—and the very reason it’s so popular for law enforcement. The huge advantages of fingerprints over any traditional password or fob system are that (a) they’re virtually unique, and (b) users aren’t likely to lose, forget or get confused about them. The big problem with fingerprints? You leave copies of them virtually everywhere you go. That means the first thief who finally figures out how to use a copy to unlock an iPhone has made its fingerprint security useless.
Will that happen? There’s every reason to believe it will, and the price of admission for this break-the-security contest is just the cost of a new iPhone 5S. Since they’re all essentially alike, figuring out a technique that works on one can be applied to all of them. (It’s the Microsoft monoculture security problem applied to phone unlocking.) Thieves will be able to experiment endlessly. As long as they don’t damage the phone—which would ruin resale value anyway—they can try anything.
What will they try? Everything. They’ll likely start with techniques that worked against the low-end fingerprint authentication that was popular on some laptop models a decade ago. Presumably AuthenTec’s hardware and software are better, but so are the tools available to thieves. If a simple lifted fingerprint won’t work, how about a 3-D version in latex, built up by a 3-D printer or etched into the latex by a computer-controlled laser cutter?
The question isn’t whether the authentication will be cracked. As always with security, the only question is how expensive it will be to unlock any particular phone.
Of course, people in retail are jaded. Fingerprint authentication has had a very mixed history among retailers. But a phone is different from a point-of-sale terminal. Users own their phones. They trust their phones—often much more than they should.
That said—yeah, Apple’s Touch ID is a neat hack. And it does solve a major problem for both retail app security and mobile payments (in case they ever take off): how to keep customers from walking around all day with their phones unlocked. The reason they do that is that keying in a PIN is just time-consuming enough to get old very quickly. The result is that users will set the timeout for the maximum they can—30 minutes, an hour, whatever the unlocking mechanism will allow them.
With a fingerprint, that’s not necessary. A customer is going to have to lay a finger on the phone just to take it out. With essentially instant, one-touch authentication, users won’t mind unlocking the phone all the time. And best way to keep card data, transaction information or anything else retail-related secure on a phone is to keep the phone locked.
That’s an advantage to depending on fingerprint unlocking. The disadvantage? Things can go wrong.