TouchID was hacked, is two-factor authentication mobile security’s future?

Apple touchID video still

Fingerprint security — while it may appear to be the most “high-tech” means of protecting access to secure information (every lab in a movie ever, your new iPhone 5S), it’s actually quite a logically-flawed system simply because: you leave the key everywhere you go, and on everything you touch.

So when it came to Apple’s new TouchID system the main question on everyone’s tongues was whether Apple’s design could counter lifted fingerprints.

According to a blog post by Marc Rogers on Lookout, the answer is not as simple as we might expect. He says that TouchID has flaws but, “the reality is these flaws are not something the average consumer should worry about. Why? Because exploiting them was anything but trivial.”

In Rogers’ own words:

“Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.”

In short here are the steps:

  • Obtain a suitable (complete, unsmudged, correct finger) print
  • “Lift” the print. All you need is to develop the print using a technique of super glue mixed with fingerprint power and fingerprint tape. Sound easy enough? You only get one shot cause the “lift” kills the original print.
  • Create the actual fake fingerprint. All you need is a good few hours, and according to Rogers, “thousands of dollars worth of equipment including a high resolution camera and laser printer.”

Creating the fake fingerprint is the hardest part of all. You essentially have to photograph the print — scale, resolution and all — edit it to clean it up, and then use one of two methods: the CCC method or a method based on Tsutomu Matsumoto’s 2002 paper The Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems. We won’t go into the detail of the methods here, but it’s safe to say they require great skill, patience and equipment.

So as Rogers purports, hacking into TouchID is not something an everyday thief could achieve. However, it will be vulnerable to a “targeted attack.” As we continue to store more and more sensitive information on our mobiles, we quite simply have to start taking mobile security more seriously. TouchID at least offers some protection, which is better than not having a PIN at all.

For Rogers, fingerprint security will protect you in three key areas:

  • The street thief who grabs your phone
  • If you lose, drop or misplace your phone
  • Protect you against phishing attacks (if Apple allows it)

Then enters the question of the data of the fingerprint itself. What data does Apple capture, how does it store and access it, and could this data be used to recreate a fingerprint if accessed directly? For all its promises, Apple still stores the data somewhere which could be theoretically hacked.

For Rogers, the future of TouchID is the two-factor authentication method: namely a combination of fingerprint and digit PIN. Each method has its own strengths and weaknesses, but combining them softens their flaws while keeping their respective advantages.

Rogers would keep the convenience of the fingerprint when accessing an app, even with something like banking, but once a sensitive request is made — the transfer money for example — you need to give the fingerprint and a PIN. The logic is that attackers might be able get one piece of authentication information, but never both.

TouchID is a step in the right direction. What it brings to light is that people need to start taking mobile-security more seriously. Changing PINs frequently helps, but for the less tech-savvy perhaps the future really is a two-factor authentication method. For one, it could definitely help curb phishing attacks.



Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.