The Touch ID fingerprint reader could be one of the most important features of the new iPhone 5s. Although it will initially be used only to unlock the phone and to log into the iTunes Store, it has the potential to improve the security of a wide range of mobile purchases and payments. But first Apple has to convince iPhone owners that it will not be a new assault on their privacy.
A few weeks ago, this would not have been an issue. But Apple is introducing Touch ID in an atmosphere in which many of the most far-out paranoid fantasies about government snooping seem to have been confirmed. A sampling of Twitter reactions to the Apple announcement, and this New York Times Bits article, suggest what the company is up against:
The sad thing is that there is a well-understood way to implement biometric tests such as fingerprints that is safe and will prevent the sort of leaks these tweeters fear. And I suspect that Apple, which bought AuthenTec, the leader in fingerprint technology, in 2012, is following these procedures. The problem is that Apple refuses to say so.
Despite several requests, all I could get Apple spokespersons to do was reiterate marketing chief Phil Schiller’s statement that the fingerprint data was encrypted and stored in “a secure enclave” on the A7 processor that could not be accessed by any apps. The data is never uploaded to iCloud or other servers. This is good, but not nearly good enough.
Here’s how you are supposed to do it. First, and Apple says this much, the reader never makes a copy of your actual finger print. What is does is collect data on a number, perhaps as many as several hundred, points called “minutiae” that uniquely identify a print. The minutiae are reduced to a string of numbers. The next step is really important. The fingerprint data should be run through a mathematical function called a one-way hash, which produces an encrypted version that cannot be decrypted. Because it cannot be decrypted, the original fingerprint cannot be reconstructed from the data, protecting your privacy.
The way this works is that the next time you scan a finger, the process is repeated and a new hash is generated. The new hash is compared to the stored hash and if they match, you pass. The same procedure is used for the secure storage of passwords. It is even more important for biometric data, because, while you can always replace a compromised password, you cannot grow a new finger.
If Apple wants to sell suspicious opinion leaders on the security and integrity of Touch ID, the company is going to have to be a great deal more forthcoming about just how it is protecting fingerprint data, including providing details on the encryption or hash protocols used. Ideally, it would let security experts examine the actual code in hopes of identifying the all-to-common implementation errors that can undermine seemingly secure encryption.
We definitely need an alternative or supplement to traditional passwords to make our devices more secure and useful, especially in commerce and payment. Biometrics, such as fingerprints, are a good choice, but only if they can be handled safely and, even more important, people are convinced their use is safe. That is going to require more transparency than Apple is used to providing.
The good news is that in my brief hands-on tests, Touch ID worked flawlessly. It was easy to register my fingerprints (you can use multiple fingers) and once the prints were set up, the iPhone responded instantly to my touch. It is by far the easiest fingerprint recognition system I have used.
For the moment, Apple is not allowing third-party app developers to use Touch ID, but I think it is only a matter of time until Apple expands its use beyond login and iTunes. The potential is just too great.
—–
An aside: I don’t worry in the least about the government getting my fingerprints, since I have been fingerprinted many times and my prints have been in the FBI database for decades. But the U.S. government isn’t the only snoop out there and I do worry about securing biometric data. as I said, once your fingerprint is gone, it is gone forever.