Touch ID AKA Touchy ID

Before we start, lets take a moment to recognize the layers in this joke title, “Touch ID AKA Touchy ID”. Get it? It’s a fingerprint scanner that people are arguing over, and you need to touch it a lot to make it work? It’s “touchy”? I guess I’m the only one who finds that amusing. Moving on.

So recently there has been a lot of hate towards the new finger print reading technology included with Apple iPhone called Touch ID. There are tons of YouTube videos explaining how easy it is to trick the fingerprint scanner, how insecure the technology is, people proclaiming its gimmicky, and the list goes on and on. It’s not just Touch ID that is getting a bad rap, any device using the fingerprint technology has also come under fire. Well, I’m here to tell you some good that has come out of it, and how it might even make your life a little easier.

The Good:

  1. It’s better than a four digit pin. That’s just for starters. I don’t care who you are, at some point in your life you’ve used the standard and completely breakable four character all numeric pin. In some cases, you’re forced to, but that’s a different gripe and the topic for another article. I’m willing to bet that most anyone reading this is actually using a simple pin on their phones right now. Why? Convenience. Bio-metric readers, like Touch ID, offer a good alternative to this prehistoric pin tech. Swipe your finger, and away you go.
  2. It’s better than a basic pattern lock, and I would argue that while mathematically inferior to raw attempts (brute force) when compared to pattern locks, it leaves less evidence behind to use against cracking the device. We’ve all seen the oil smeared screen of a user who has a nice worn path where their most used lock pattern has been traced. With a fingerprint scanner, like  in my example, the Touch ID system, you see no oily streaking because there is none. See this link for an explanation of how patterns can be weaker than pins.
  3. It can’t be stolen by shoulder surfers. If I stand near or by you I could see your pin, or get a good idea of your pattern, but with a fingerprint, I get nothing. That’s worth something.
  4. It can’t be stolen by video surveillance. If I catch you on camera entering your pin, or swiping your pattern, I can recreate that with the device. I can’t do that with a fingerprint for the same level of effort. Even if they tried, see the list of extra precautions Touch ID specifically uses to help mitigate some of that threat.
  5. The fingerprints themselves are not stored as a picture on the device, so it can’t be compromised and then reused against you. Only a hash of the fingerprint is used in order to match what has been recorded previously, and that hash is isolated in its own security enclave which is never backed up to iCloud or removed from the device. In addition to this, it can’t just be a picture either. It uses capacitive touch to make sure that at the very least, something living is on the other side. This last part is easily tricked, but adds to overall security.

OK. So now that we’ve established a baseline of why it is a good alternative to the traditional same ol same ol. Where does it fail?

The Bad:

  1. You can be forced to give your fingerprint by law enforcement in some areas around the world. Obviously you shouldn’t be doing anything that requires constant harassing by law enforcement, but as an example, you could be forced to place your finger on a scanner to unlock your device. You are safe for the most part with regards to information that you know, like a pass-phrase or password, although I’m sure there are areas where that type of protection is limited. It is important to note that in both of these cases if the “interested party” are not held to a sworn set of laws, you can always be convinced to provide your credentials or the appendage that is used for biometric scanners against your will.
  2. They can be fooled. Specifically the fingerprint readers. There are many ways to recreate a fingerprint and use it to unlock a device, or system, or door, or whatever else you’ve trusted to this security measure. This has been proven already for many types of biometric scanners. The security measures around the core system are what ultimately determine the security as a whole in this case.
  3. They cannot compete with a good old-fashioned complex password or long pass-phrase. They do however win in convenience when compared to those options.
  4. Your fingerprints are everywhere. People won’t need to work very hard to get a copy of them, but at least they need to work a little harder to know which finger you’ve registered.

Who is this technology for?

Anyone who needs convenience, but still wants to make sure they’re protected equally to, or greater than the traditional non-complex methods used for mobile devices. Although it is imperfect, it can be used to maintain the existing level of convenience found with the pin login capability, and can also potentially encourage the end-user to use their password with more applications that come to support fingerprint scanning as a credential. This would increase security overall for the device.

Rules for the Touch ID technology that help it to maintain a better security posture.

  1. A master four or six digit pin, alphanumeric password or pass-phrase is needed if the Touch ID fails three times.
  2. Every 48 hours the device will require the master pin to be entered  to retain the ability to use Touch ID.
  3. If the device is restarted the pin must be entered before Touch ID is usable.
  4. Optional: After 10 failed logins, the device will erase its content.
  5. Optional: Touch ID can be used for just the device, iTunes store, or Wallet. Once enabled, you can choose to use it with supporting applications, or configure traditional pins for said applications.
  6. Your Touch ID fingerprint(s) hashes are never removed from the device, and are segregated from normal operation of the phone at the hardware level.

Final Verdict.

Touch ID doesn’t compare to a complex password. No one will argue that. But if you’re leaving the security of your device up to a simple pin (which you shouldn’t), and this is an option on your phone, why wouldn’t you? It is reliable, it’s easier than entering a pin, it promotes a broader use of passwords within applications themselves, and it isn’t as prone to over the shoulder attacks as traditional non-complex methods.

Can the scanner be fooled? Can you be convinced to swipe your finger? Sure, but you need to weigh that risk against your own threat-level and how interested people really are to get what’s on your device.

If you have anything that you want to add, append, or correct, get in touch via any of my social media accounts or send an e-mail.

Tagged as: , ,