Why Apple’s Touch ID Is Not Foolproof Yet

A cybercriminal that successfully implants a Trojan into the phone would find no difference between cracking a fingerprint code and a password

Guillaume Lovet Nov 27th 2013

This vendor-written article has been edited by ComputerWorld to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Threats to personal and organizational privacy have evolved to such a degree that traditional forms of security such as straightforward password protection have become alarmingly insufficient. Nowadays, hackers and other malicious entities can easily break through codes in a matter of seconds via complex programs and sophisticated hardware or by ‘brute force’ cracking.

The introduction of the iPhone 5s, the latest smartphone developed by technology giant Apple, has stirred great public interest over the effectiveness of biometrics – the inherence factor – to stave off privacy attacks. The new device contains a new biometric fingerprint reader known as TouchID which is built into the home button of the iPhone 5s to detect and verify a user’s fingerprint via capacitive touch.

This function now brings two-factor authentication from the exclusive domain of the enterprise down to the reach of the smartphone-loving masses. A lot of people are excited over Apple’s implementation of Touch ID, viewing the technology as something new and fresh and likely hard to defeat.

Apple explains that the iPhone 5s’ new A7 processor has a tough, dedicated data storage area that is difficult to attack. However, a successful breach into this secure layer would render biometric authentication useless. A cybercriminal that successfully implants a Trojan into the phone would find no difference between cracking a fingerprint code and a password, as a scanned fingerprint is stored as a series of 0s and 1s in the phone.

Another important thing to note is Apple’s statement that Touch ID scans sub-epidermally, with no mention of sub-dermal capability. This means that the advanced capacitance sensor embedded in the device in essence takes a high-resolution image of fingerprints from the sub-epidermal layers of the skin. This is already how typical capacitance sensors work more or less: a more secure method would be to scan at the sub-dermal level beneath the skin where the veins and arteries are. Apple’s initial implementation of biometrics, then, appears more of a tool of convenience that enables users to avoid passwords at their preference.

In fact, a German group was able to work around Touch ID security just days after the iPhone 5s launch. They took a fingerprint of a user photographed from a glass surface and then created a fake fingerprint which they placed into a thin film and pressed onto the device with a real finger to unlock the phone. Touch ID certainly does work, and work well, but you should not rely upon it to protect the digital assets on your phone. Apple needs to push out an iOS update that allows users of TouchID to further secure their devices by enabling proper two-factor authentication with both a scan and a password.
In addition, people usually don’t communicate their fingerprints to third parties.

Our fingerprints are in biometric passports, so they are known to our own governments, but that’s usually about all. With Apple’s Touch ID, aren’t we making it easier for cybercriminals to get our fingerprints (and re-sell them on the black market for whatever nefarious intent)? Additionally, our fingerprints are not replaceable: once they have been compromised, there is no way back, it’s not like a key pair, we can’t just generate a new one.

While Apple’s biometric approach is not foolproof, the good news is that the iPhone 5s has elicited mass interest in the possibility of moving away from typical single-factor authentication and into multi-factor authentication.

Multi-factor authentication (MFA) is an offshoot of more aggressive efforts to ward off privacy threats. In this security approach, two or more of three authentication factors (knowledge, possession and inherence) are required to establish identity.

While adoption of two-factor authentication has seen some mainstream usage in applications like Twitter, Dropbox, Evernote, and Facebook, it has yet to fully replace the convenience of single factor.