Paying With Prints (iPhone 5S and Its Fingerprint Scanner)

Apple’s Touch ID fingerprint scanner is little, round, innocuous looking Rorschach test. Stare into its unflinching gaze and you’ll see wonder, terror, good security, no security, a social revolution, or a lie being foisted on the smartphone buying public by Apple, depending on your background, biases, and philosophical inclinations.

I noticed a bit of crankiness in the Apple blogosphere recently at anyone who suggested that we stop and consider the wisdom of using easily obtainable fingerprints for authentication purposes. Granted, some of the reaction was in response to overly dramatic portrayals of Touch ID as completely useless, insecure, and even Orwellian, but the Apple community in general tends to err on the side of always taking the party line.

Even in the security community, opinions vary from “not hard to defeat and is a bad idea” to “not hard to defeat and is a good thing anyway”.

Ok, so apparently there is some dissension over the usefulness and security of Touch ID, but what are the potential issues?

The first issue with using fingerprints for authentication is that, unlike passwords, fingerprints can’t be changed. They were issued at birth, and barring some really bad accident, they’re with you for life. As Bruce Schneier states in his article on uses and abuses of biometrics, they don’t handle failure well, and they fail by being common across different functions. You know how you’re taught to use strong, unique, non-guessable passwords for every computing device, web site, and email account? Biometrics can’t do that. You only have one face, one set of eyes, and one set of fingerprints.

Some security experts predicted that Touch ID would almost certainly be spoofable. Some felt it wouldn’t be that easy, and were a little surprised when it was.

Interestingly, a few Apple bloggers claimed in defense that Apple never stated Touch ID was about security, but about convenience. In fact, Phil Schiller specifically introduced it as being “about security” in the Apple event introducing the iPhone 5s. It’s at 55 minutes and 16 seconds into the presentation, right at the beginning of his talk about Touch ID. Apple is calling this a security feature. And that’s not an accident, give the above information about the plans for Touch ID integration with mobile payments in the future.

In the case of Touch ID, this isn’t as bad as it could be. Touch ID is a fingerprint scanner on the iPhone that only stores and uses fingerprint data locally. Your fingerprint is not being compared to a database in the cloud that enabled all kinds of universal services – it’s used for functionality on your iPhone, and that’s it, for now. That means that as far as Touch ID goes, someone lifting your fingerprints and creating a usable duplicate will only be able to use it against that one specific iPhone. No other iPhones are going to recognize the print, and it’s useless anyplace else.

Where this becomes a problem is when universally accessible systems start using biometrics to authenticate you. Schools are already doing this. Disney does this. Unfortunately with systems like these, we have no way of knowing where they store the data, how they store it, who they share it with, and when they erase the data. This is exactly why security experts looked at the Touch ID announcement and wanted more information before jumping on the cheerleading bandwagon.

Dustin Kirkland, Canonical’s Cloud Solutions Product Manager, wrote an excellent blog post about the use of fingerprints as passwords, and how they’re better thought of as usernames instead. It seems pretty apparent that this is a better approach – our fingerprints certainly say who we are, but having them be the keys that unlock all the wonderful doors is probably not the greatest idea from a security standpoint.

The iPhone is massively popular. Apple knows how to take technology and make it accessible to normal people. So when Apple implements a fingerprint scanner on their most popular device, people in the biometric industry cheer. Mark Lockie of Planet Biometrics told BBC News that the biometrics industry has been waiting for such a moment. People who become comfortable with having their fingerprint scanned on their iPhones are going to become more comfortable with it being scanned for other uses, and they’re not particularly going to understand the difference between having it stored locally and securely on their iPhone and having it uploaded to a database created by or accessible by the government.

As Bruce Schneier said to me on Pocket Sized Podcast episode 129, there’s a different level of concern between local, inaccessible fingerprint data and biometric data stored in large databases on other people’s servers. If the iPhone leads to increased use of biometrics in society in general, then it’s a conversation worth having, and not to be brushed aside by tech writers who get irritated that anyone would question Apple by raising concerns.

Aside from popularizing biometrics, Apple is also certainly heading towards using fingerprint authentication as a means for changing payment systems and the payment market. Assuming this does happen, suddenly the security and privacy concerns begin to matter more than when it’s just being used to unlock the phone and make a few purchases from the iTunes store. When people say Touch ID is fine even if it’s relatively easily spoofed because it’s just unlocking your phone, they are looking at this particular moment in time and not where things are headed.

People need to be aware of what’s happening in society around us all, and how little changes here and there work together in more powerful ways. We need to be aware of the security and privacy considerations of biometrics in general, as well as with Touch ID in particular, so that we can make informed choices. Most people don’t understand either the technical or privacy challenges that biometrics pose to them, and they’ll go along without a second thought. I remember watching a documentary on the Unique Identification Number project going on in India and realizing that most of those having their eyes and fingerprints scanned had no clue what they were consenting to – not that they had any choice.

We know that surveillance by the government is a combination of things – smartphones that monitor our every move, social networks that sell our personal images and information, and increasingly our biometric data as well. Do we want to go with it all unquestioningly because Apple makes it seem cool, or do we want to stop and think about the implications in general for tying biometrics to large scale authentication and payment systems?

Touch ID is a very well implemented and convenient way to unlock the iPhone and make purchases. I’ve used it on my wife’s iPhone 5s, and I’ll use it on mine when it gets here in a couple days. I can see why people like it, and don’t want to go back to passcodes. But I also think people who get angry when someone raises questions about biometrics for authentication and payments are some of the same people who used to laugh at the idea of their own government spying on them. They aren’t willing to admit there could be downsides to a fingerprint-filled future.

I have a little daughter who will grow up in a world that either acquiesces to biometric systems completely, or considers them carefully and puts appropriate measures in place to keep them from being abused. I hope we think about these things seriously right now so we don’t pay in ways we didn’t intend to later.

About the author

Scott Willsey is a long time Apple enthusiast whose first personally owned computer was the original 128k Macintosh introduced in 1984. He has 20 years of experience working with OS X, Windows, and a variety of flavors of Unix and Linux. Scott is host of the Pocket Sized Podcast, a short, pocketable podcast about Apple’s iOS devices, such as the iPhone, iPad, iPod touch, and the Apple TV. You can find it at Scott can be reached on Twitter at @scottaw or on his podcast Twitter account at @pocketpodcast.

Comments are closed.