iPhone 5S: Fanbois, your prints are safe from the NSA, claim infosec bods

But is it a decent authentication method? The jury's out...

Internet Security Threat Report 2014

If the implementation's crap, it'll get nicked

Poorly implemented fingerprint recognition could be readily defeated by thieves, Henry warns. Fingerprints are not secret: we leave fingerprint impressions wherever we go, and this might spawn problems.

"How secure is a fingerprint really," Henry said. "After all, we leave them quite literally everywhere and at a minimum, they’re all over the phone. So how secure is it? If I lose my phone, could the person who picks it up use the fingerprints I’ve left behind to gain access?"

"Again, this will depend on implementation, particularly on the quality of the sensor. A good fingerprint reader doesn’t just look at the ridges – it looks at pore, temperature, pulse, and other factors. If it doesn’t, it can be pretty easily cracked."

"As an example, a few years ago a company developed a mouse with an optical fingerprint scanner. If I breathed on the scanner to fog it up, it would recognize the fingerprint the previous user left behind and authenticate me," he added.

Security guru Bruce Schneier has posted a blog post, first carried by Wired, that broadly welcomes Apple's introduction of fingerprint recognition tech.

"Apple would be smart to add biometric technology to the iPhone. Fingerprint authentication is a good balance between convenience and security for a mobile device," Schneier writes.

"Biometric systems are seductive, but the reality isn't that simple. They have complicated security properties. For example, they are not keys. Your fingerprint isn't a secret; you leave it everywhere you touch.

"And fingerprint readers have a long history of vulnerabilities as well. Some are better than others. The simplest ones just check the ridges of a finger; some of those can be fooled with a good photocopy. Others check for pores as well. The better ones verify pulse, or finger temperature. Fooling them with rubber fingers is harder, but often possible. A Japanese researcher had good luck doing this over a decade ago with the gelatin mixture that's used to make Gummi bears."

'The tech's just not sophisticated enough'

Andy Kemshall, co-founder and technical director of two-factor authentication outfit SecurEnvoy, is keen to lump fingerprint authentication in with other biometrics as less mature technologies than the SMS authentication through mobile phones his firm sells.

“Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods. The technology simply isn’t sophisticated enough. Take the face recognition method for example – as the technology stands, a device will unlock just by holding up a photo of the owner."

George Anderson, a marketing manager at security software firm Webroot, expressed broadly similar concerns about whether "temperamental" biometric technology was enterprise ready.

“If implemented well on the iPhone, biometrics could become a great mobile security measure," Anderson said. "If it turns out, however, that the fingerprint scanner will not be an additional security layer but a substitution for passcode authentication, that would be a disappointing news. Passcodes, while basic, are much less prone to errors than fingerprint biometrics. Biometrics is a temperamental technology and it should not be relied upon as a single security measure. A combination of both types of authentication is much more powerful from a security perspective than either on their own."

As a result of the wider BYOD phenomenon Apple iPhone 5Ss are going to make their way into the enterprise market sooner rather than later. Adam Ely, co-founder of enterprise mobile security startup Bluebox said the inclusion of fingering recognition technology in Apple's high-end smartphones could spur a revamp in corporate log-in technology that previous long standing availability of fingerprint scanners in laptops failed to encourage.

"Fingerprint scanners can be a big win for enterprise security,” said Ely. “Many enterprises wish to extend their IAM (identity access management) to mobile applications and devices but typing complex passwords is too cumbersome. Even though laptops have come with fingerprint scanners for many years, the need and application integration wasn't strong enough for enterprises to implement. Mobile may breath new life into this technology giving both end users and enterprises big wins."

Will authentication become the Achilles heel of the iPhone 5S?

Samsung was a major customer of AuthenTec before it was acquired by Apple. The Korean manufacturer is rumoured to be rolling out fingerprint scanning in future Galaxy devices. Independent security expert Graham Cluley speculates that the technology might find it's way onto Apple's iPad fondleslabs in future as part of a more general FAQ about the technology here.

Lumension's Henry added that reliability will be just as important as security in the success of the technology. "There’s a lot riding on the reliability factor," Henry said. "Will it work if I go for a swim and try to use my phone with raisin hands? What if it’s cold outside and my fingers have shrivelled a bit? Can I use my phone then? People aren’t going to be happy if they’re locked out of their phones because of environmental factors.

"As Apple well knows, if it’s not both reliable and convenient, users will turn it off," he added.

A good overview of the various security issues around the introduction of fingerprint authentication by Apple in the iPhone 5S model can be found in a blog post by John Hawes on Sophos's Naked Security blog.

The iPhone 5S boasts improved camera and battery life, and was launched by Apple alongside the more affordable iPhone 5C, a plastic affair that'll be available in a wide range of colours. ®

Internet Security Threat Report 2014

More from The Register

next story
Hi-torque tank engines: EXTREME car hacking with The Register
Bentley found in a hedge gets WW2 lump insertion
What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
You fought hard and you saved and earned. But all of it's going to burn...
Trousers down for six of the best affordable Androids
Stylish Googlephones for not-so-deep pockets
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
prev story


Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.