Thursday, September 12, 2013

Q&A About Fingerprint Scanning

Rich Mogull:

But despite the believed uniqueness of fingerprints, using a fingerprint scan as an authentication credential isn’t a panacea for security problems. It’s worth taking a little time to understand the technology, what it can do, and how it will integrate with your digital life.

[…]

But the real reason is that using fingerprints creates better security through improved usability. Most people, if they use a passcode at all, stick with a simple four-digit passcode, which is easy for an attacker to circumvent with physical possession of your iPhone. Longer passphrases, like the obscure 16-character one I use, are far more secure, but a real pain to enter repeatedly. A fingerprint reader, if properly implemented, provides the security of a long passphrase, with more convenience than even a short passcode.

Update (2013-09-12): Marcia Hofmann:

Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).

mrtemple:

Apple announced that you can’t unlock via fingerprint after a reboot, or if the phone hasn’t been used within 48 hours.

Danny Yadron and Ian Sherr:

Apple testers have found the device sometimes doesn’t work with moisture-laden fingers covered in sweat, lotion or other liquids.

Update (2013-09-13): Mary Branscombe:

And like the sensor in the iPhone 5S, the sensors that will be in laptops and keyboards and other phones can detect the ridge and valley pattern of your fingerprint not from the layer of dead skin on the outside of your finger (which a fake finger can easily replicate), but from the living layer of skin under the surface of your finger, using an RF signal. That only works on a live finger; not one that's been severed from your body.

Update (2013-09-20): Apple (via Ivan Krstić):

Every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID. The probability of this happening is 1 in 50,000 for one enrolled finger. This is much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode. Although some passcodes, like “1234", may be more easily guessed, there is no such thing as an easily guessable fingerprint pattern. Instead, the 1 in 50,000 probability means it requires trying up to 50,000 different fingerprints until potentially finding a random match. But Touch ID only allows five unsuccessful fingerprint match attempts before you must enter your passcode, and you cannot proceed until doing so.

It’s disheartening that the writer got the probability wrong. The expectation is that it will take 50,000 different fingerprints. But it could happen on the first try, or take many more than 50,000. This is all assuming that fingerprints are i.i.d., which is probably not the case.

Update (2013-09-23): Chaos Computer Club:

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

Tim Bray:

Is Touch ID Worth Having? I’d say yes (cautiously). John Gruber points out that pre-Touch-ID, the most popular iPhone lock method was none, swipe and you’re in. If this changes that, it’s probably worthwhile.

Gabe Weatherhead:

The fingerprint reader built in to the iPhone 5s is not as fast as I expected. It's not instant as some have suggested but rather requires a slightly longer press than I would typically use. With the screen off, I typically give a quick press to turn it on. This is not sufficient to unlock the phone. I found that to unlock the phone I had to hold my finger on the button until the screen display became active.

Update (2013-09-24): Marc Rogers:

Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

Comments RSS · Twitter

Leave a Comment