Home

Luis Abreu

Product Design

Email Bluesky

Loosing Touch ID

Thoughts on security versus convenience.

Sep 23, 2013

4 min read

As you’re aware, the most recent fingerprint identification implementation in consumer electronics by Apple, dubbed Touch ID is now being used by thousands of people worldwide.

Apples implementation is very easy and convenient to use and is initially used to unlock iPhones or authenticate the person against the App Store for completing purchases.

Traditionally, this technology has been the target of people who believe it doesn’t live up to its premise of a foolproof authentication system. And as such, there have been plenty of exploits around it, Touch ID is sadly no exception as demonstrated by the German security group CCC.

But what is Touch ID? Does it arrive with the same premise of its older brothers of a foolproof consumer fingerprint authentication device? Or does it admit its failures and still plays its part in a larger system?

What is Touch ID

According to Apple’s iPhone product page, Touch ID is a highly secure and convenient way to control who can access your phone and make payments on the iTunes, iBooks and App Stores, removing the burden of typing a pin code each of the dozens of times you unlock your phone throughout the day. It even lets you delegate authentication to friends and family since it can recognize multiple fingerprints.

It cannot be used without a pin code that’s requested on reboot or after 48 hours of inactivity. Something indicative of a lost or stolen phone and paired with the high resolution sensor plus the claimed requirement for a live finger and ability to read sub dermal layers, offers indeed an increased level of security.

It is always with you, cannot be exploited remotely, doesn’t require memory.

Loosing Touch

Touch ID can be exploited, Apple has made it a bit harder by requiring live tissue and fitting it with a high resolution sensor that, according to them, goes buying the skin surface.

But still, while technically possible, one can argue it’s still a better system than the good old pin code. Why?

Because exploiting it requires a very specific set of conditions, equipment and most of all a very focused action against the victim.

And I believe this last part is the key factor that must be considered when judging the efficiency of this sensor, no security system is immune, the person is always the weakest link and it can be broken through social engineering, coercion and more.

Why Care?

Because authentication is broken, identity is broken, authorization is broken and we need a solution.

Identity is broken because it’s not guaranteed you have control or visibility over it.

Authorization is broken for the same reason, we not always know what or who is authorizing access to our identity and data as proven by the recent NSA events.

And authentication is broken because we still rely on our limited memory to provide services with secret words that only the individual should know, which is a problem because there’s a limited set of words and making them up will trigger the limits of our memory leading us to a behavior of using the same secret word in many places.

Memory isn’t private, and spreading it out there sometimes in an easily read format, unencrypted, increases the chances of this secret word being known without our knowledge.

Touch ID would help in a few of these cases by offering a system that can only be explicitly used by the owner, doesn’t require memory and is centralized, always with you, not all over the world being exploited without our knowledge.

Summary

Touch ID is here, it offers dead easy to use, nearly instant advanced biometric authentication and is integrated with a consumer product of mass adoption.

It’s a technology that admits its flaws since it can’t be used after a reboot or after a period of inactivity that might indicate a stolen or lost phone.

It can be exploited by a dedicated person, but it can also be invalidated by the owner who would proceed to use another finger* or not at all and downgrade to other methods,

*In a way, Touch ID has 10 lives, one on each finger of your hand, 20 or more if you’re into using other body parts or feet.

All in all, it’s a good thing that vastly improves the experience of using an iPhone.

In practice, Touch ID has proved incredibly convenient. I always knew that entering my lock screen passcode and App Store password dozens of times a day, every day, was a hassle, but I had no idea how much of a hassle it was until I didn’t have to do it any longer. Source

Yes it plays the classic experience vs security balance game, how well?

Up to you. But personally I’d say pretty well.

latest articles

All articles

latest work

All work