iPhone 5S: Fanbois, your prints are safe from the NSA, claim infosec bods

But is it a decent authentication method? The jury's out...

Securing Web Applications Made Simple and Scalable

If the implementation's crap, it'll get nicked

Poorly implemented fingerprint recognition could be readily defeated by thieves, Henry warns. Fingerprints are not secret: we leave fingerprint impressions wherever we go, and this might spawn problems.

"How secure is a fingerprint really," Henry said. "After all, we leave them quite literally everywhere and at a minimum, they’re all over the phone. So how secure is it? If I lose my phone, could the person who picks it up use the fingerprints I’ve left behind to gain access?"

"Again, this will depend on implementation, particularly on the quality of the sensor. A good fingerprint reader doesn’t just look at the ridges – it looks at pore, temperature, pulse, and other factors. If it doesn’t, it can be pretty easily cracked."

"As an example, a few years ago a company developed a mouse with an optical fingerprint scanner. If I breathed on the scanner to fog it up, it would recognize the fingerprint the previous user left behind and authenticate me," he added.

Security guru Bruce Schneier has posted a blog post, first carried by Wired, that broadly welcomes Apple's introduction of fingerprint recognition tech.

"Apple would be smart to add biometric technology to the iPhone. Fingerprint authentication is a good balance between convenience and security for a mobile device," Schneier writes.

"Biometric systems are seductive, but the reality isn't that simple. They have complicated security properties. For example, they are not keys. Your fingerprint isn't a secret; you leave it everywhere you touch.

"And fingerprint readers have a long history of vulnerabilities as well. Some are better than others. The simplest ones just check the ridges of a finger; some of those can be fooled with a good photocopy. Others check for pores as well. The better ones verify pulse, or finger temperature. Fooling them with rubber fingers is harder, but often possible. A Japanese researcher had good luck doing this over a decade ago with the gelatin mixture that's used to make Gummi bears."

'The tech's just not sophisticated enough'

Andy Kemshall, co-founder and technical director of two-factor authentication outfit SecurEnvoy, is keen to lump fingerprint authentication in with other biometrics as less mature technologies than the SMS authentication through mobile phones his firm sells.

“Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods. The technology simply isn’t sophisticated enough. Take the face recognition method for example – as the technology stands, a device will unlock just by holding up a photo of the owner."

George Anderson, a marketing manager at security software firm Webroot, expressed broadly similar concerns about whether "temperamental" biometric technology was enterprise ready.

“If implemented well on the iPhone, biometrics could become a great mobile security measure," Anderson said. "If it turns out, however, that the fingerprint scanner will not be an additional security layer but a substitution for passcode authentication, that would be a disappointing news. Passcodes, while basic, are much less prone to errors than fingerprint biometrics. Biometrics is a temperamental technology and it should not be relied upon as a single security measure. A combination of both types of authentication is much more powerful from a security perspective than either on their own."

As a result of the wider BYOD phenomenon Apple iPhone 5Ss are going to make their way into the enterprise market sooner rather than later. Adam Ely, co-founder of enterprise mobile security startup Bluebox said the inclusion of fingering recognition technology in Apple's high-end smartphones could spur a revamp in corporate log-in technology that previous long standing availability of fingerprint scanners in laptops failed to encourage.

"Fingerprint scanners can be a big win for enterprise security,” said Ely. “Many enterprises wish to extend their IAM (identity access management) to mobile applications and devices but typing complex passwords is too cumbersome. Even though laptops have come with fingerprint scanners for many years, the need and application integration wasn't strong enough for enterprises to implement. Mobile may breath new life into this technology giving both end users and enterprises big wins."

Will authentication become the Achilles heel of the iPhone 5S?

Samsung was a major customer of AuthenTec before it was acquired by Apple. The Korean manufacturer is rumoured to be rolling out fingerprint scanning in future Galaxy devices. Independent security expert Graham Cluley speculates that the technology might find it's way onto Apple's iPad fondleslabs in future as part of a more general FAQ about the technology here.

Lumension's Henry added that reliability will be just as important as security in the success of the technology. "There’s a lot riding on the reliability factor," Henry said. "Will it work if I go for a swim and try to use my phone with raisin hands? What if it’s cold outside and my fingers have shrivelled a bit? Can I use my phone then? People aren’t going to be happy if they’re locked out of their phones because of environmental factors.

"As Apple well knows, if it’s not both reliable and convenient, users will turn it off," he added.

A good overview of the various security issues around the introduction of fingerprint authentication by Apple in the iPhone 5S model can be found in a blog post by John Hawes on Sophos's Naked Security blog.

The iPhone 5S boasts improved camera and battery life, and was launched by Apple alongside the more affordable iPhone 5C, a plastic affair that'll be available in a wide range of colours. ®

Application security programs and practises

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
For Lenovo US, 8-inch Windows tablets are DEAD – long live 8-inch Windows tablets
Reports it's killing off smaller slabs are greatly exaggerated
Microsoft unsheathes cheap Android-killer: Behold, the Lumia 530
Say it with us: I'm King of the Landfill-ill-ill-ill
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Seventh-gen SPARC silicon will accelerate Oracle databases
Uncle Larry's mutually-optimised stack to become clearer in August
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.