How secure is Apple iPhone's Touch ID?
(MoneyWatch) Apple (AAPL) unveiled two new iPhones last week -- the iPhone 5c, which marked the company's entry into the world of colorful, plastic handsets, and the iPhone 5s. The 5s is notable for both its new chipsets (which won't have any immediate impact on performance) and Touch ID, a fingerprint reader built into the Home button.
The fingerprint reader sounds good, but begs the question: Just how secure is it?
- Should you fear Apple's fingerprint scanner?
- Apple's new iPhones prepare iOS for future
- How to turn your iPhone into a projector
That's an excellent question. We already know that biometric security has its problems. Retinal scanning, a popular science fiction trope, was an early security measure used by some government and military installations. But problems with the technology (like the fact that pregnancy can confuse the test) more recently led to a move to iris scanning. And facial recognition has proven incredibly simple to defeat. For instance, some tests have shown that you can get past a facial recognition camera just by holding a photo of the person in front of the camera.
Can you do more or less the same thing with Apple's Touch ID? Is it vulnerable to just a photo of fingerprints, for example?
Probably not. Apple says the fingerprint scanner is not an optical device -- it's not taking a photo of your fingertip, in other words. Instead, it's a "capacitance" reader, which senses the conductive properties of your subdermal skin layer. The phone is essentially sensing the unique differences in conductivity caused by the raised parts of your fingerprint.
Moreover, Apple claims this data is not transmitted anywhere or stored in the cloud, making it difficult to hack. The data is retained exclusively in the chip, which is converted to a hash, not unlike the way passwords are encrypted to prevent easy hacking.
That sounds promising, but it's too early to tell how secure the phone will be in real life. Security experts appear to be cautiously optimistic, though. For example, Dirk Sigurdson, director of engineering for Mobilisafe at Rapid7, said: "A strong password that is only stored in someone's brain is arguably the best single factor of authentication. But it's inherently difficult for people to create and remember strong passwords. Because weak passwords are often used, assuming the iPhone fingerprint reader and matching algorithm do a good job of protecting against fake fingers, biometric authentication should overall improve the security of iOS devices."
But that doesn't mean there are risks. Fingerprints have a significant shortcoming that passwords don't suffer from, for example. Stina Ehrensvard, CEO of security software firm Yubico, points out that "the unique biometrics associated with your identity are static images, and, like any image, can be easily be copied. Further, these features cannot be changed, unless you have extensive surgery."
In other words, if your fingerprints ever are compromised, they're probably compromised forever, making that form of biometric security unavailable to you ever again.
Photo courtesy of Apple