iPhone 5S: Fanbois, your prints are safe from the NSA, claim infosec bods
But is it a decent authentication method? The jury's out...
If the implementation's crap, it'll get nicked
Poorly implemented fingerprint recognition could be readily defeated by thieves, Henry warns. Fingerprints are not secret: we leave fingerprint impressions wherever we go, and this might spawn problems.
"How secure is a fingerprint really," Henry said. "After all, we leave them quite literally everywhere and at a minimum, they’re all over the phone. So how secure is it? If I lose my phone, could the person who picks it up use the fingerprints I’ve left behind to gain access?"
"Again, this will depend on implementation, particularly on the quality of the sensor. A good fingerprint reader doesn’t just look at the ridges – it looks at pore, temperature, pulse, and other factors. If it doesn’t, it can be pretty easily cracked."
"As an example, a few years ago a company developed a mouse with an optical fingerprint scanner. If I breathed on the scanner to fog it up, it would recognize the fingerprint the previous user left behind and authenticate me," he added.
Security guru Bruce Schneier has posted a blog post, first carried by Wired, that broadly welcomes Apple's introduction of fingerprint recognition tech.
"Apple would be smart to add biometric technology to the iPhone. Fingerprint authentication is a good balance between convenience and security for a mobile device," Schneier writes.
"Biometric systems are seductive, but the reality isn't that simple. They have complicated security properties. For example, they are not keys. Your fingerprint isn't a secret; you leave it everywhere you touch.
"And fingerprint readers have a long history of vulnerabilities as well. Some are better than others. The simplest ones just check the ridges of a finger; some of those can be fooled with a good photocopy. Others check for pores as well. The better ones verify pulse, or finger temperature. Fooling them with rubber fingers is harder, but often possible. A Japanese researcher had good luck doing this over a decade ago with the gelatin mixture that's used to make Gummi bears."
'The tech's just not sophisticated enough'
Andy Kemshall, co-founder and technical director of two-factor authentication outfit SecurEnvoy, is keen to lump fingerprint authentication in with other biometrics as less mature technologies than the SMS authentication through mobile phones his firm sells.
“Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods. The technology simply isn’t sophisticated enough. Take the face recognition method for example – as the technology stands, a device will unlock just by holding up a photo of the owner."
George Anderson, a marketing manager at security software firm Webroot, expressed broadly similar concerns about whether "temperamental" biometric technology was enterprise ready.
“If implemented well on the iPhone, biometrics could become a great mobile security measure," Anderson said. "If it turns out, however, that the fingerprint scanner will not be an additional security layer but a substitution for passcode authentication, that would be a disappointing news. Passcodes, while basic, are much less prone to errors than fingerprint biometrics. Biometrics is a temperamental technology and it should not be relied upon as a single security measure. A combination of both types of authentication is much more powerful from a security perspective than either on their own."
As a result of the wider BYOD phenomenon Apple iPhone 5Ss are going to make their way into the enterprise market sooner rather than later. Adam Ely, co-founder of enterprise mobile security startup Bluebox said the inclusion of fingering recognition technology in Apple's high-end smartphones could spur a revamp in corporate log-in technology that previous long standing availability of fingerprint scanners in laptops failed to encourage.
"Fingerprint scanners can be a big win for enterprise security,” said Ely. “Many enterprises wish to extend their IAM (identity access management) to mobile applications and devices but typing complex passwords is too cumbersome. Even though laptops have come with fingerprint scanners for many years, the need and application integration wasn't strong enough for enterprises to implement. Mobile may breath new life into this technology giving both end users and enterprises big wins."
Will authentication become the Achilles heel of the iPhone 5S?
Samsung was a major customer of AuthenTec before it was acquired by Apple. The Korean manufacturer is rumoured to be rolling out fingerprint scanning in future Galaxy devices. Independent security expert Graham Cluley speculates that the technology might find it's way onto Apple's iPad fondleslabs in future as part of a more general FAQ about the technology here.
Lumension's Henry added that reliability will be just as important as security in the success of the technology. "There’s a lot riding on the reliability factor," Henry said. "Will it work if I go for a swim and try to use my phone with raisin hands? What if it’s cold outside and my fingers have shrivelled a bit? Can I use my phone then? People aren’t going to be happy if they’re locked out of their phones because of environmental factors.
"As Apple well knows, if it’s not both reliable and convenient, users will turn it off," he added.
A good overview of the various security issues around the introduction of fingerprint authentication by Apple in the iPhone 5S model can be found in a blog post by John Hawes on Sophos's Naked Security blog.
The iPhone 5S boasts improved camera and battery life, and was launched by Apple alongside the more affordable iPhone 5C, a plastic affair that'll be available in a wide range of colours. ®