Apple’s decision to bundle a fingerprint scanner with its newly unveiled iPhone 5s has the potential to become a game-changer for personal device authentication.

But the success of "Touch ID" fingerprint authentication will depend on security as well as reliability, according to market-watchers. The fruits of Apple's acquisition of fingerprint tech firm AuthenTec for $356m last summer are the long awaited arrival of a fingerprint-based authentication system, that only comes in the top-of-the-line iPhone 5S.

The authentication system features a redesigned home button and a metal sensor ring around it. Apple's promotional blurb explains: "[The sensor] uses advanced capacitive touch to take, in essence, a high-resolution image of your fingerprint from the sub-epidermal layers of your skin. It then intelligently analyses this information with a remarkable degree of detail and precision."

The technology will be used to authorise purchases through the Apple store as well as the obvious application of unlocking the device.

Fingerprint authentication has been bundled with laptops for years and has been a feature of handheld computers (such as Pocket PCs) for almost as long. External readers are also readily available. Nonetheless, a new fingerprint reader for iPhone smartphone is likely to spur widespread use of fingerprint readers as authenticators, the argument goes.

Tony Cripps, principal device analyst at market watchers Ovum, noted that "integrated capacitive fingerprint sensor will build legitimacy for the technology in mainstream consumer electronics, although privacy concerns are bound to raise their heads in these newly paranoid times."

Apple's previous security missteps have made security experts cautious about whether it's got its fingerprint recognition technology right at the first attempt.

Dirk Sigurdson, a mobile risk management specialist at vulnerability management and pen testing firm Rapid7, commented: "Apple has on a number of occasions released flawed versions of its passcode lock implementation which allows attackers to bypass lock screen protections.

"With the added complexity of biometric authentication it’s likely that we’ll continue to see vulnerabilities related to these features. It will remain important for companies to monitor iOS vulnerabilities and to implement a method for updating devices when fixes are available."

Biometrics: What's stored on the A7 stays on the A7

Apple is storing biometric information locally on the iPhone in a "secure enclave" on the new A7 chip that, says Cupertino, can only be accessed by the fingerprint sensor itself.

"Fingerprint stays only on the A7, never goes to iCloud, and is encrypted," noted Rik Ferguson, veep of security research at Trend Micro in one of a series of tweets playing down fears over the iPhone 5S's privacy features (examples here and here).

Ferguson slapped down accusations that Apple is somehow fulfilling an NSA request by introducing fingerprint recognition tech on its high-end smartphones.

He said: "Why is a fingerprint sensor on an iPhone such a violation of privacy when laptops have featured them for years and no one even blinked? Giving our fingerprints to Wintel PCs and various border control for years but Apple = NSA? This is crazy."

Paul Henry, security and forensic analyst at security software house Lumension, said that testing is needed to verify Apple's claims that the device offers locked down security for biometric data.

"What we need to know is how good a job did Apple actually do securing the biometric data. They say it’s encrypted and not shared with other applications, but we’ll have to wait and see how it works in practice. We also need to know if it’s a single sign on approach. If a single fingerprint grants access to other services (particularly iCloud), that’s a frightening prospect if Apple hasn’t done a truly expert job at securing that local credential."

If the implementation's crap, it'll get nicked

Poorly implemented fingerprint recognition could be readily defeated by thieves, Henry warns. Fingerprints are not secret: we leave fingerprint impressions wherever we go, and this might spawn problems.

"How secure is a fingerprint really," Henry said. "After all, we leave them quite literally everywhere and at a minimum, they’re all over the phone. So how secure is it? If I lose my phone, could the person who picks it up use the fingerprints I’ve left behind to gain access?"

"Again, this will depend on implementation, particularly on the quality of the sensor. A good fingerprint reader doesn’t just look at the ridges – it looks at pore, temperature, pulse, and other factors. If it doesn’t, it can be pretty easily cracked."

"As an example, a few years ago a company developed a mouse with an optical fingerprint scanner. If I breathed on the scanner to fog it up, it would recognize the fingerprint the previous user left behind and authenticate me," he added.

Security guru Bruce Schneier has posted a blog post, first carried by Wired, that broadly welcomes Apple's introduction of fingerprint recognition tech.

"Apple would be smart to add biometric technology to the iPhone. Fingerprint authentication is a good balance between convenience and security for a mobile device," Schneier writes.

"Biometric systems are seductive, but the reality isn't that simple. They have complicated security properties. For example, they are not keys. Your fingerprint isn't a secret; you leave it everywhere you touch.

"And fingerprint readers have a long history of vulnerabilities as well. Some are better than others. The simplest ones just check the ridges of a finger; some of those can be fooled with a good photocopy. Others check for pores as well. The better ones verify pulse, or finger temperature. Fooling them with rubber fingers is harder, but often possible. A Japanese researcher had good luck doing this over a decade ago with the gelatin mixture that's used to make Gummi bears."

'The tech's just not sophisticated enough'

Andy Kemshall, co-founder and technical director of two-factor authentication outfit SecurEnvoy, is keen to lump fingerprint authentication in with other biometrics as less mature technologies than the SMS authentication through mobile phones his firm sells.

“Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods. The technology simply isn’t sophisticated enough. Take the face recognition method for example – as the technology stands, a device will unlock just by holding up a photo of the owner."

George Anderson, a marketing manager at security software firm Webroot, expressed broadly similar concerns about whether "temperamental" biometric technology was enterprise ready.

“If implemented well on the iPhone, biometrics could become a great mobile security measure," Anderson said. "If it turns out, however, that the fingerprint scanner will not be an additional security layer but a substitution for passcode authentication, that would be a disappointing news. Passcodes, while basic, are much less prone to errors than fingerprint biometrics. Biometrics is a temperamental technology and it should not be relied upon as a single security measure. A combination of both types of authentication is much more powerful from a security perspective than either on their own."

As a result of the wider BYOD phenomenon Apple iPhone 5Ss are going to make their way into the enterprise market sooner rather than later. Adam Ely, co-founder of enterprise mobile security startup Bluebox said the inclusion of fingering recognition technology in Apple's high-end smartphones could spur a revamp in corporate log-in technology that previous long standing availability of fingerprint scanners in laptops failed to encourage.

"Fingerprint scanners can be a big win for enterprise security,” said Ely. “Many enterprises wish to extend their IAM (identity access management) to mobile applications and devices but typing complex passwords is too cumbersome. Even though laptops have come with fingerprint scanners for many years, the need and application integration wasn't strong enough for enterprises to implement. Mobile may breath new life into this technology giving both end users and enterprises big wins."

Will authentication become the Achilles heel of the iPhone 5S?

Samsung was a major customer of AuthenTec before it was acquired by Apple. The Korean manufacturer is rumoured to be rolling out fingerprint scanning in future Galaxy devices. Independent security expert Graham Cluley speculates that the technology might find it's way onto Apple's iPad fondleslabs in future as part of a more general FAQ about the technology here.

Lumension's Henry added that reliability will be just as important as security in the success of the technology. "There’s a lot riding on the reliability factor," Henry said. "Will it work if I go for a swim and try to use my phone with raisin hands? What if it’s cold outside and my fingers have shrivelled a bit? Can I use my phone then? People aren’t going to be happy if they’re locked out of their phones because of environmental factors.

"As Apple well knows, if it’s not both reliable and convenient, users will turn it off," he added.

A good overview of the various security issues around the introduction of fingerprint authentication by Apple in the iPhone 5S model can be found in a blog post by John Hawes on Sophos's Naked Security blog.

The iPhone 5S boasts improved camera and battery life, and was launched by Apple alongside the more affordable iPhone 5C, a plastic affair that'll be available in a wide range of colours. ®

Related stories

• Apple is too shallow, must go deeper to beat TouchID fingerprint hack, say securo-bods (24 September 2014)

  https://www.theregister.com/2014/09/24/iphone_touchid_hack/

• SA Plods plonk boots on privacy principles with fingerprint scanners (19 February 2014)

  https://www.theregister.com/2014/02/19/sa_plods_plonk_boots_on_privacy_principles_with_fingerprint_scanners/

• Roll up, roll up: Cash, Bitcoin and booze offered for iPhone 5S fingerprint scanner hack (19 September 2013)

  https://www.theregister.com/2013/09/19/iphone5s_fingerprint_crack_bounty/

• Pizza drones, mad cyclists and Bitcoin-for-arms traders: A vision of LNDN 2023 (17 September 2013)

  https://www.theregister.com/2013/09/17/tech_quango_reveals_london_of_the_future/

• London Underground cleaners to refuse fingerprint clock-on (16 September 2013)

  https://www.theregister.com/2013/09/16/tube_workers_to_launch_protest_against_biometric_clockin_system/

• It's official: The iPhone 5S bling-mobe IS chavvy. OR, Burberry isn't (13 September 2013)

  https://www.theregister.com/2013/09/13/burberry_apple_iphone_5s/

• Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researchers (13 September 2013)

  https://www.theregister.com/2013/09/13/picture_passwords/

• iPhone 5S: Apple, you're BORING us to DEATH (And you too, Samsung) (12 September 2013)

  https://www.theregister.com/2013/09/12/apple_samsung_iphone_zzz/

• iPhone 5S: 64-bit A7, 128GB storage, flashy ƒ/2.0 camera, and... (16 August 2013)

  https://www.theregister.com/2013/08/16/apple_iphone_5s_rumors/

• Lingering fingerprint fingering fingered in iOS 7 for NEW iPHONE (30 July 2013)

  https://www.theregister.com/2013/07/30/ios_7_fingerprint_recognition/

• Apple patents touch display that KNOWS YOU by your fingers (18 July 2013)

  https://www.theregister.com/2013/07/18/apple_patents_touch_screen_that_knows_you_by_your_fingers/

• Apple's soon-to-be-slurped securo firm shrugs off crypto warning (11 September 2012)

  https://www.theregister.com/2012/09/11/fingerprint_scanner_crypto_warning/

• UPEK fingerprint scanners insecure, says Elcomsoft (6 September 2012)

  https://www.theregister.com/2012/09/06/dumb_security_in_biometrics/

• Paying by iPad, sir? Apple buys US security firm for $350m (27 July 2012)

  https://www.theregister.com/2012/07/27/apple_buy_up_fingerprint_scanners_authentec/