On Friday the iPhone 5s will be out on the street, and with it, Apple’s fingerprint scanning technology. There are still some concerns about how Apple is implementing and managing fingerprint authentication, but as long as the iPhone 5s doesn’t fumble completely, the new smartphone could finally spur mainstream adoption of the technology.
As Apple revealed a couple of weeks ago, the home button on the new iPhone 5s is also a fingerprint scanner. Rather than using a passcode, you can now unlock the device just by holding your finger on the home button.
The iPhone 5s isn’t the first mobile device with a fingerprint scanner. The Motorola Atrix included fingerprint authentication back in 2011. Apparently, even Motorola forgot about the Atrix, though, because it had the audacity to send out a tweet slamming the idea of using a fingerprint with a mobile device.
Paul Henry, security and forensic analyst at Lumension believes that the iPhone 5s fingerprint authentication could prove to be a game changer. “There are two factors that will determine the real success of this new feature, which has undeniable potential,” he says. “First, reliability and second, security—though as a security researcher, I have to say it should really be security first.”
Is it secure?
There are questions about how Apple is scanning and storing the fingerprint data. If someone guesses or compromises your passcode, you can just change it to a new one. But, you can’t change your fingerprints. Some worry that a thief can simply use an image or picture of your fingerprint gain access to a user’s iPhone, the same way Android’s facial recognition authentication can be fooled with a picture of the device owner. It wouldn’t be hard to get your fingerprint—your iPhone will likely be covered with dozens of samples.
Macworld contributor Rich Mogull does an excellent job explaining why that probably isn’t an issue. In a nutshell, Apple is using capacitive scanning that looks at more than just the image of your fingerprint, and it’s most likely not storing the actual fingerprint anywhere on the iPhone where it might be compromised.
Mogull hypothesizes that Apple is probably analyzing the fingerprint and using unique data from it to generate a mathematical representation or template. By this logic, when you touch the home button, your fingerprint is run through the algorithm again, and the results are compared to the template to ensure they match. These are educated guesses, though, and the actual implementation may work differently.
“What we need to know is how good a job did Apple actually do securing the biometric data,” Henry says. “They say it’s encrypted and not shared with other applications, but we’ll have to wait and see how it works in practice.”
Henry also has some concerns about just how much access someone gets if the fingerprint authentication is bypassed or compromised. “If a single fingerprint grants access to other services (particularly iCloud), that’s a frightening prospect if Apple hasn’t done a truly expert job at securing that local credential,” he says.
Should you use it?
Dwayne Melancon, CTO for Tripwire, says, “In general, multifactor authentication is a good idea and biometrics, in particular, are good as long as they work properly. Early reports of Apple’s biometric implementation are promising, and even if there is some rate of false identification, this approach is still more secure than a four-digit PIN.”
One crucial thing for IT admins to understand is how device access works in the event that the fingerprint scanner is not an option. What if a user breaks their finger and it’s in a cast, or the home button fingerprint sensor malfunctions?
“From an enterprise perspective, I would wait until the security of this implementation of fingerprint scanning has been tested ‘in real life’ before adopting it broadly,” Melancon cautions.
Making it mainstream
Biometric security is nothing new, but it has yet to really catch on as a mainstream method of authentication. The password or passcode remains king. Apple has a huge market presence, though, and the iOS ecosystem commands a great deal of respect. If the iPhone 5s fingerprint scanner lives up to expectations, this could be the tipping point that turns it into the new default standard.
If Apple stumbles or falls on its face, though, it could set biometric security back a few years. If there are too many false negatives or false positives, or it turns out that the fingerprint data isn’t stored as securely as it should be, or there are other problems with the fingerprint scanner, it will tarnish the reputation of biometrics with average users, and it will take a long time to recover.