Ben Sullivan explores the pros and cons of Apple’s latest iPhone feature
The new iPhone has a sleek, metal ring, subtly encircling the home button like a little halo of security. What is it? Well you must know already that it’s a fingerprint sensor – called the Touch ID.
The technology built into Apple’s latest offering, which was unveiled on Tuesday, allows users to access their phones with a press of a finger without the need to type in a password, number code, or a pattern.
The Touch ID will also allow iPhone 5s users to buy songs from iTunes just a swift swipe of a finger, all by using biometric technology, which obviously uses the user’s fingerprint pattern.
So is this a heralding to the end of the password or just a neat gimmick that has rather deep security flaws?
Touch ID’s metal ring replaces the traditional home button
Fingerprint scanners have been in existence for a long time now, they’re nothing new. Scotland Yard was even using fingerprints as early as 1901, and using biometric date even appeared in some of Doyle’s Sherlock Holmes stories.
Scanners are widely used on PCs and laptops already, and there’s even been a mobile phone with this technology – the Motorola Atrix, but it was plagued with problems and was soon dropped from existence.
So, with the technology already used and in circulation, why has it taken this long to roll out onto mobiles, and will it mean the end of the password.
Dirk Sigurdson, Mobilisafe’s Director of Engineering at Rapid7, says:
A strong password that is only stored in someone’s brain is arguably the best single factor of authentication. But, it’s inherently difficult for people to create and remember strong passwords. Because weak passwords are often used, assuming the iPhone fingerprint reader and matching algorithm do a good job of protecting against fake fingers, biometric authentication should overall improve the security of iOS devices."
However, he warns that "Apple has on a number of occasions released flawed versions of its passcode lock implementation which allows attackers to bypass lock screen protections. With the added complexity of biometric authentication it’s likely that we’ll continue to see vulnerabilities related to these features. It will remain important for companies to monitor iOS vulnerabilities and to implement a method for updating devices when fixes are available."
Apple’s intention to focus on biometric technology was made clear in July 2012, when it bought mobile security company Authentec, which developed fingerprint sensor chips, for $356m (£226m).
The investment caused shares in other biometric firms to rise on the back of speculation that they too might become takeover targets.
But there are many critics to fingerprint technology. Prof. Mark Nixon of the University of Southampton says: "We’re all essentially walking passwords," but warns that "despite biometrics offering a more convenient way of securing our devices, it is "no panacea", and there are pitfalls."
The first thing that companies and users should be worrying about, before vulnerability from the outside, is that they themselves get locked out of their devices if the technology should fail. And what happens if it’s wet, or you cut your finger? Apple’s answer to that is supposedly in the advanced technology, which scans on a deeper epidermal level than usual, so surface discontinuity on your finger ‘should’ not be a problem. If this doesn’t work, the consequences for Apple could be disastrous. Users would be throwing out their iPhone in a matter of days if they’re getting locked out of their phones.
We then move on to the possibility of unwanted people, even criminals, being able to gain access to your phone.
"Fingerprint readers are undoubtedly not particularly secure," says Dr Andrew Martin, from the University of Oxford’s department of computer science.
Just like in the spy movies, fingerprint technology can be ‘hacked’. Using gelatin, the stuff that makes Gummi bears, people that are not eve that clued up with science can fake a fingerprint. And our fingerprints are everywhere.
Security expert Graham Cluley says: "It’s an important reminder to everyone that fingerprints are not private, you leave them lying around everywhere, and if someone has enough incentive – and the resources available to them – they may try to defeat any security system that you trust your fingerprint to unlock."
"One thing is for sure. With the launch of the iPhone 5S, more people will be using fingerprint sensors as part of their daily security than ever before – and the hackers will be certainly intrigued to see how they might circumvent it."
Graham goes on to say: "It’s inconceivable that malicious hackers and data thieves won’t try to subvert Apple’s Touch ID fingerprint scanning technology. How capable they will be at doing that, remains to be seen. But expect hackers to start looking at the system as soon as they can get their hands on one of the new iPhone 5S smartphones."
Popular science show Mythbusters has even broadcast how to clone a fingerprint, so getting the knowledge of how to do it is definitely in the mainstream.
We then move onto the privacy concerns.
Biometric data is usually encrypted and stored on a device’s local processor, but this method is by no means foolproof, especially if the data is being used to carry out online transactions.
And after the leaks by whistle-blower Edward Snowden highlighted how the NSA and GCHQ government agencies monitor our online activity, many will be wary of having information about their body stored in digital form.
So, you’re thinking, the government or unwanted snoopers can already track your location and access data in your cloud, do you really want to be adding your biometric data to one massive database for them to have?
"It’s a valid concern, and one of which Apple is keenly aware. The company says that fingerprint data is encrypted and not sent to its (or anyone else’s – sorry, NSA) servers," says Graham.
"Instead, the fingerprint data will be stored in encrypted form on the device (in what Apple calls a "secure enclave" of its new A7 chip), where it is not available to other processes, and will not be backed up to iCloud, Apple confirmed."
Despite obvious drawbacks, technology companies around the world are teaming up to make biometric security the standard system for online purchases.
The Fido (fast identity online) Alliance – which includes Blackberry, Google and Paypal – exists to "reduce the reliance on passwords to authenticate users".
It advocates a recognised, easy-to-use system for using biometrics in online purchases, logins and even to verify a big decision such as "delete all my emails".
Furthermore, biometric systems’ ease may outweigh the potential security risks – at least for the average mobile phone user.
"What you really have to do is look at the bigger picture and ask who it is you are protecting against," says Dr Martin.
"No one would argue that these biometrics are terribly secure, but they are convenient to use and avoid problems like being overlooked while typing your password."
But surely nothing can beat a secure password that’s only stored in one place, your brain.
That’s why some companies are developing "multi-modal biometrics", systems that use a few different techniques in tandem, such as an iris reader, voice recognition and fingerprint technology – adding more layers of security.
Andrew Hindle, the global technical director at Ping Identity, says:
"The more passwords we’re forced to remember, the more we’re likely to forget or write down in an effort to ensure we always have access to the accounts that matter. This leaves us open to the risk of identity theft and fraudulent activity.
"There are, however, a number of technologies emerging to challenge the dominance of the password, such as biometric identification and Single Sign-On, whereby one secure identity is used to gain access to multiple applications, without having to share sensitive personal information, or create new accounts and passwords.
"Security is moving towards password-free era, but the demand for online convenience shouldn’t come at the cost of security. Putting identity at the heart of the equation will ensure the simplicity that consumers want, whilst providing the security experience they deserve."
Some of Google’s Android devices come with a facial recognition system, which has been generally successful in easing the process of logging in, although it can be fooled if the handsets or tablets are pointed at a photo of the user. I’ve tried it.
Another recent experiment, by technology company LINK Bionym, uses a wristband to measure the rhythm of your pulse, which it says is unique to each person.
And there may be even more coming.
Cybersecurity systems tend to be based on three identifiers: something you know, like your mother’s maiden name; something you have, like an access code or password; and something you are, like your fingerprint or iris.
GPS-enabled smartphones enable you to add yet another dimension: "somewhere you are".
A smartphone could potentially block a log-in from a phone that is suddenly not in its usual location, which particularly useful in the case of a theft.
Overall, however, the evolution of biometric technology is still a gradual process but there’s no doubt with advancing biometric security, passwords will eventually be replaced. Just don’t bank on its safety just yet.