Apple has just announced two new models of iPhones, one of them is the iPhone 5S which comes with a fingerprint reader. Like others I believe this is no silver bullet, but it is a step in the right direction in terms of helping the masses to secure their iPhones.
There are two main areas of potential security failures:
- Fingerprints can be copied and once compromised you can’t “change” for new ones;
- The Fingerprint reader security implementation will be very important, any defects or flawed could be exploited to gain unauthorised access.
Apple may not be the first company to provide an embedded fingerprint reader into their phones, but like it did for tablets and smartphones, it will be the company that will popularise its usage and set the direction for others to follow. This is likely to be emulated and we will soon see fingerprint reader probably everywhere.
Because it is actually a very convenient way to unlock/authenticate, it is very user-friendly if done right and somewhat secure/unique (as long as they are not compromised). It means users will love it, and prefer that way of authenticating over having to remember a very long password or a different one for each system they need to authenticate too. It makes sense for some kind of password safe to be release at some point, either by Apple or a 3rd party, that would leverage the use of a fingerprint reader to authenticate users to all their systems. In the background you would still be using long, random and unique passwords but as a user, all you would be asked for is to select which website/system you want to sign on and to authenticate with your fingerprint so it accesses that secret password for you and uses it to log you in.
All this is great, and I would love to use such a system. But as fingerprint readers become more and more popular and especially more and more available, so will be the points of failure…
If every device has a fingerprint “read-er”, every device could also act as a fingerprint “captur-er”!
And your precious fingerprints could be compromised through malware or social engineering by leveraging features like guest access, micro-payments, fun apps that pretend to predict your future by reading the shape of your fingerprints, etc.
More importantly, due to the very nature of smartphones today that are using “touch technology”, users’ fingerprints will be left all over the device’s touch screen. It means if someone steal your smartphone, they also steal the very information they need to gain access, your fingerprints. The challenge then becomes about “lifting” those fingerprints from the touch screen to re-use them.
Also, the more popular fingerprint readers become and the more embedded their usage will be in how the masses authenticate to different systems. It means, it will be increasingly attractive for attackers to target such means of authentication. There is already a hacking challenge that will do just that: Hackers iPhone5s bounty.
What Apple has just done is providing an answer to a problem people are increasingly aware off, protecting your password whilst making it simpler to authenticate in the process. This is bound to catch on.
To conclude, in the short term, this will be a huge security set-up for most people, “normal” people who do not handle state/corporate secrets. In the medium to long term, this may actually backfire, because fingerprint alone is no security silver bullet. However, combining fingerprint authentication with more traditional mechanisms such as passcodes or passwords might actually provide extra security through embedded dual factor authentication.
Nonetheless, well done Apple for aiming in the right direction!