Touch ID: A Big Deal If Apple Doesn’t Mess It Up

by Steve Wildstrom   |   September 11th, 2013

The Touch ID fingerprint reader could be one of the most important features of the new iPhone 5s. Although it will initially be used only to unlock the phone and to log into the iTunes Store, it has the potential to improve the security of a wide range of mobile purchases and payments. But first Apple has to convince iPhone owners that it will not be a new assault on their privacy.

A few weeks ago, this would not have been an issue. But Apple is introducing Touch ID in an atmosphere in which many of the most far-out paranoid fantasies about government snooping seem to have been confirmed. A sampling of Twitter reactions to the Apple announcement, and this New York Times Bits article suggest what the company is up against:

Twitter screenshot

The sad thing is that there is a well-understood way to implement biometric tests such as fingerprints that is safe and will prevent the sort of leaks these tweeters fear. And I suspect that Apple, which bought AuthenTec, the leader in fingerprint technology, in 2012, is following these procedures. The problem is that Apple refuses to say so.

Despite several requests, all I could get Apple spokespersons to do was reiterate marketing chief Phil Schiller’s statement that the fingerprint data was encrypted and stored in “a secure enclave” on the A7 processor that could not be accessed by any apps. The data is never uploaded to iCloud or other servers. This is good, but not nearly good enough.

Here’s how you are supposed to do it. First, and Apple says this much, the reader never makes a copy of your actual finger print. What is does is collect data on a number, perhaps as many as several hundred, points called “minutiae” that uniquely identify a print. The minutiae are reduced to a string of numbers. The next step is really important. The fingerprint data should be run through a mathematical function called a one-way hash, which produces an encrypted version that cannot be decrypted. Because it cannot be decrypted, the original fingerprint cannot be reconstructed from the data, protecting your privacy.

The way this works is that the next time you scan a finger, the process is repeated and a new hash is generated. The new hash is compared to the stored hash and if they match, you pass. The same procedure is used for the secure storage of passwords. It is even more important for biometric data, because, while you can always replace a compromised password, you cannot grow a new finger.

If Apple wants to sell suspicious opinion leaders on the security and integrity of Touch ID, the company is going to have to be a great deal more forthcoming about just how it is protecting fingerprint data, including providing details on the encryption or hash protocols used. Ideally, it would let security experts examine the actual code in hopes of identifying the all-to-common implementation errors that can undermine seemingly secure encryption.

We definitely need an alternative or supplement to traditional passwords to make our devices more secure and useful, especially in commerce and payment. Biometrics, such as fingerprints, are a good choice, but only if they can be handled safely and, even more important, people are convinced their use is safe. That is going to require more transparency than Apple is used to providing.

The good news is that in my brief hands-on tests, Touch ID worked flawlessly. It was easy to register my fingerprints (you can use multiple fingers) and once the prints were set up, the iPhone responded instantly to my touch. It is by far the easiest fingerprint recognition system I have used.

For the moment, Apple is not allowing third-party app developers to use Touch ID, but I think it is only a matter of time until Apple expands its use beyond login and iTunes. The potential is just too great.

—–

An aside: I don’t worry in the least about the government getting my fingerprints, since I have been fingerprinted many times and my prints have been in the FBI database for decades. But the U.S. government isn’t the only snoop out there and I do worry about securing biometric data. as I said, once your fingerprint is gone, it is gone forever.

 

 

 

Steve Wildstrom

Steve Wildstrom is veteran technology reporter, writer, and analyst based in the Washington, D.C. area. He created and wrote BusinessWeek’s Technology & You column for 15 years. Since leaving BusinessWeek in the fall of 2009, he has written his own blog, Wildstrom on Tech and has contributed to corporate blogs, including those of Cisco and AMD and also consults for major technology companies.
  • Anders CT

    I think that the fingerprint sensor authentication combined with NFC payments would be a very nice combination of existing technologies. They didn’t mention NFC. Maybe the really don’t want NFC (which would be incredibly shortsighted) or maybe they are just saving the announcement for later. If not I have som crow to eat.

    • FalKirk

      I think Apple is bypassing NFC. Step by step they are building a security and payment system that does not require the use of NFC technology.

    • steve_wildstrom

      I don’t think Apple can do more to indicate their lack of interest in NFC. They are putting their bets on low-power Bluetooth and Wi-Fi Direct.

    • TheEternalEmperor

      You need to let go of this NFC thought and prepare for that crow. ;-) There is no there, there with NFC and it isn’t shortsighted.

      The NFC tech simply isn’t thick enough.

      • Anders CT

        I wos wronge. Very wrong. Crow eaten.

        I still don’t undestand why they didn’t just inlude a 45 cent NFC chip. If for nothing else, then for the Japanese market. It wouldn’t stop them from pursuing some Bluetooth payscheme.

        • TheEternalEmperor

          Hey Anders,

          Just an informational

          http://arstechnica.com/gadgets/2013/09/google-releases-a-new-version-of-google-wallet-dumps-nfc-requirement/

          Google is dropping their NFC requirement.

          Not gloating. Don’t take it that way. Informational only.

          We’ll see where this goes, but my take:
          1).45 x 22m is well over 11m/quarter. Why spend it if you don’t have to?

          2) What’s the advantage to Apple or the customer? Apple’s scheme will hit phones as far back as the iPhone 4, doesn’t require NFC, doesn’t require the close proximity.

          I mean, not counting purchasing the only other use for NFC I’ve seen(big use) is Samsung touch phone stuff and someone, Motorola I think, having an NFC sticker you put in your car that you put your phone to and it shuts off wifi or some such.

          • Anders CT

            I undertand all that, and I see the advantages of Bluetooth LE and so on.

            But the problem is, that if you walk 50 meters in central Tokya you are going to come across an NFC terminal. They use NFC for everything over there, as they are begiing to do here in Denmark. Now, having an NFC-chip in your device, does not stop Apple or anyone else from developing Bluetooth LE and touch authentication for payments. Or combining the technologies.

            If you were going to develop a payment-scheme today, why wouldn’t you just use Bluetooth were available and NFC were required?

  • Jean-Daniel

    You can use hash only to perform exact match. It works well for password storage but you can’t use it to do fuzzy matching as it is probably required for things like finger print.
    Using hash would mean that the slightly change in you finger print (dust, humidity, …) will make it invalid.
    This is an intrinsic property of any cryptographic hash function.

    • tjwolf

      From what I understand, Apple’s scanning technique uses conductivity changes in the subsurface layers of your skin and should, thus, not be affected by surface-level things like dust, humidity). So perhaps an exact match is still possible. But even if it’s not – Apple’s implementation lets you fall back to a pass code if the system fails to authenticate you.

  • Defendor

    I think Apple has a significant leg up on the security front with fingerprint readers. With the app store approval process, they can make sure that rogue applications don’t make any illegal function calls that could work on attacking the secure storage for the fingerprint data.

    With the wide open nature of Android, there will be many more chances for hacker to try to find a way to massage secure data stored in the device. Both may prove ultimately secure, but I would definitely feel more comfortable with Apple devices security for this.

    I feel this is a lot more secure than standard password procedures. There was a recent case were a kid racked up huge iTunes bill on in-app purchases. The kicker on this one was that, the kid observed Dads password and typed it in to approve purchases. Would not happen with fingerprint approval.

    I think Apple is doing a great job with Hardware and features, but I really don’t think I can get over the eyesore that is iOS 7.

  • Kenny

    the fingerprint sensor authentication look impressive, but what Happen if someone steal your phone, can he hack the Data located on the phone?

    is it hack proof?

    • TheEternalEmperor

      It doesn’t have your fingerprint(that’s been explain on multiple sites)and really, unless you are some captain of industry, do you think anyone is interested in your fingerprint? There are easier ways to get it than cracking your iPhone.

      I would just go into your house.

    • http://www.zibity.com/ Sebastian Hallum Clarke

      Did you read the article? It explains that it isn’t possible to reverse engineer the fingerprint data.

    • tjwolf

      I think Apple claims only 10 hours – similar to the current iPhone 5. As far as the battery claims of 24 hours by Moto X, you might want to do some google searches to find how long it really lasts. Some tech company (Anandtech?) benchmarked it – and in internet-related usage, that phone didn’t even come in the top 3 in battery life – the iPhone 5 came in in first position. If I remember correctly the Moto X only came in first when it came to basic “voice” calls.

  • aardman

    If the fingerprint sensor, for some reason, breaks, is your phone locked until you get the hardware fixed? If you lose your finger or alter your fingerprint in an accident (don’t laugh, I have a scar right across my thumbprint) is your phone locked forever? Is there a work around, and if so, how vulnerable is that?

    • TheEternalEmperor

      Use the password, or enter in more than one finger.

      • aardman

        Well what’s the point of fingerprint authentication if you’re going to set up a password as your emergency work around? That’s like securing your front door and leaving the back door open.

        Sensor failure is really the bigger problem, so I’m not going to be a smart aleck and ask “What if I lose my whole hand?” :-)

        • Kenny

          That,s a very good Point
          but i think that the fingerprint has more to do about making authentication easy to use than securing your phone in my opinion

        • TheEternalEmperor

          Pick some 25 character monster password.

        • tjwolf

          Your analogy is way off – you’re not leaving the backdoor unlocked. You’re just leaving the back door locked with a different lock – how weak or strong you make that backdoor lock is up to you!

          The fingerprint mechanism is just a convenient alternative to the traditional pass code. The reason it has such great potential is that it guarantees a certain level of authentication whereas there is huge variation in how secure peoples’ pass codes are (I’m sure we all know people who make their passcode “1234″ or their birthday…mostly because the secure variety would be too long to remember. Those people who choose such secure codes are also often the ones who write them down on a sheet of paper in their wallets :-)

  • rationalchrist

    Apple shipped the first beta of iOS 7 with a confusing layout of “slide to unlock” and Control Center arrows because they were testing iOS 7’s Lock screen primarily through Touch ID. Looking back, a lot time Apple layout their roadmap in the plain. We just need to look harder and smarter.

  • Mayson

    Tim Cook’s most significant line: “This is the most forward-looking iPhone ever.”

    Touch ID paves the way for payment and authentication. Very big.

    M7 continuously monitoring motion, for fitness apps and context awareness (am I riding in a car, taking a walk, riding my bike, going to the grocery store, etc). Lots and lots of potential applications.

    A7 makes this 5s (and the upcoming iPads which will have it, or variants) capable of amazingly powerful image and audio processing: the camera is pretty awesome.

  • Steve_Lockstep

    You say there might be “several hundred” minutiae points in a fingerprint? Actually there are 50 or 60 for a good quality image of a full print. I wonder how many minutiae points are available over the relatively small window of the iPhone 5S home button? And I wonder if further resolution is sacrificed because, in the name of convenience, the iPhone will cleverly accept the finger at any angle? So far nobody has revealed a False Accept Rate specification or test result.

    • steve_wildstrom

      When you register a finger, the iPhone requires that you move the finger over the sensor. While Apple has not been forthcoming about details, I suspect it collects a great many more minutiae points than are used in any identification. This allows it to do good verification on a subset of the minutiae, which, in turn, allows things like reading at multiple angles.

      • Steve_Lockstep

        Well no, it allows the phone to match the user no matter what subsection of their finger they present, but the fact is that a relatively small subset of minutiae are used for the match. So the chance of a false match is higher than when the whole finger surface is scanned. Similarly, when a biometric system tolerates any angle of presentation, it means that it is sacrificing data, losing resolution, and increasing the False Accept Rate. Highly accurate biometrics are very sensitive to the angle of presentation (and so palm scanners for example use hand guides). Consumer biometrics are all about convenience not security. A proper security system would not be released without properly specifying its accuracy (False Accept Rate, False Reject Rate etc.). It seems that we will get reports from ‘hackers’ of TouchID spoofs before we get published security specifications from Apple.