Fingerprint security — while it may appear to be the most “high-tech” means of protecting access to secure information (every lab in a movie ever, your new iPhone 5S), it’s actually quite a logically-flawed system simply because: you leave the key everywhere you go, and on everything you touch.
So when it came to Apple’s new TouchID system the main question on everyone’s tongues was whether Apple’s design could counter lifted fingerprints.
According to a blog post by Marc Rogers on Lookout, the answer is not as simple as we might expect. He says that TouchID has flaws but, “the reality is these flaws are not something the average consumer should worry about. Why? Because exploiting them was anything but trivial.”
In Rogers’ own words:
“Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.”
In short here are the steps:
Creating the fake fingerprint is the hardest part of all. You essentially have to photograph the print — scale, resolution and all — edit it to clean it up, and then use one of two methods: the CCC method or a method based on Tsutomu Matsumoto’s 2002 paper The Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems. We won’t go into the detail of the methods here, but it’s safe to say they require great skill, patience and equipment.
So as Rogers purports, hacking into TouchID is not something an everyday thief could achieve. However, it will be vulnerable to a “targeted attack.” As we continue to store more and more sensitive information on our mobiles, we quite simply have to start taking mobile security more seriously. TouchID at least offers some protection, which is better than not having a PIN at all.
For Rogers, fingerprint security will protect you in three key areas:
Then enters the question of the data of the fingerprint itself. What data does Apple capture, how does it store and access it, and could this data be used to recreate a fingerprint if accessed directly? For all its promises, Apple still stores the data somewhere which could be theoretically hacked.
For Rogers, the future of TouchID is the two-factor authentication method: namely a combination of fingerprint and digit PIN. Each method has its own strengths and weaknesses, but combining them softens their flaws while keeping their respective advantages.
Rogers would keep the convenience of the fingerprint when accessing an app, even with something like banking, but once a sensitive request is made — the transfer money for example — you need to give the fingerprint and a PIN. The logic is that attackers might be able get one piece of authentication information, but never both.
TouchID is a step in the right direction. What it brings to light is that people need to start taking mobile-security more seriously. Changing PINs frequently helps, but for the less tech-savvy perhaps the future really is a two-factor authentication method. For one, it could definitely help curb phishing attacks.