Q&A about Fingerprint Scanning
Apple last week announced a new flagship iPhone, the iPhone 5s (see “iPhone 5s Announced, Knows You by Touch,” 10 September 2013). From a security standpoint, the most interesting addition to the device is its integrated fingerprint scanner, called Touch ID, which enables you to unlock the phone with the touch of a finger, rather than a passcode. You’ll also be able to make purchases from iTunes with a fingerprint scan rather than having to enter your Apple ID password.
But despite the believed uniqueness of fingerprints, using a fingerprint scan as an authentication credential isn’t a panacea for security problems. It’s worth taking a little time to understand the technology, what it can do, and how it will integrate with your digital life.
How does a fingerprint reader work? — Fingerprint recognition technology has been around for decades. It’s a form of authentication, the term used to describe the process of proving you are who you say you are. In this case, the technology scans the provided fingerprint, compares it to a database, and, if there’s a match, allows access just as a password or passcode would. While fingerprint recognition technology can technically identify you as well as authenticate you, most systems still require a username to speed up fingerprint matching and reduce errors. However, since the iPhone
stores your Apple ID username, this won’t be an issue for most users.
Fingerprint readers can rely on a variety of scanning technologies. The two that can be best integrated into a mobile device are optical readers and capacitance sensors. Optical readers are conceptually simple, using what is essentially a digital camera to take an image of your finger surface.
Capacitance sensors are more complex, instead creating an image of your fingerprint by measuring the differences in capacitance between the ridges and valleys of your fingerprint. They leverage the electrical conductivity of your sub-dermal skin layer, and the electrical insulation of your dermal layer (the one where your fingerprint is). Your fingerprint is effectively a non-conductive layer between two conductive plates, which is the very definition of a capacitor. The fingerprint reader senses the electrical differences caused by the varied thickness of your dermis, and can reconstruct your fingerprint from those readings.
The Touch ID sensor in the iPhone 5s is a capacitive reader, embedded in the home button. That was a good choice on Apple’s part, since capacitive scanners are more accurate and less prone to smudgy fingers, and can’t be faked out with a photocopy of a fingerprint.
So the reader takes a picture of my finger and looks it up in a database? — Not quite. Comparing complete images is a complex — and computationally intensive — task that even powerful computers struggle with. Instead, the image from the reader is run through an algorithm that pulls highlights from your fingerprint and converts them into a digital summary — a template — that is easier to work with. This template represents your fingerprint, and varies based on the algorithm used.
The template is then stored in a database, ideally after being run through a cryptographic hashing function, just like your passwords. Passwords themselves are never stored; instead they are converted by a one-way encryption algorithm, with the result being stored in the database. Done properly, this means your password can never be recovered, even if a bad guy gets the database.
Although details aren’t yet known, we expect that Apple uses each iPhone’s unique device code as part of the hashing algorithm. Since it’s embedded in the iPhone’s hardware, it’s effectively impossible to attack off the device with more powerful computers; on-device attacks are much slower and more difficult.
When you use your fingerprint to log in to a device, the technology images your fingerprint and runs the image through its algorithm. Then it compares the result with the value stored in the database. If the two match, you are let in just as with a password.
Apple made it a point to note that your fingerprint will never be uploaded to iCloud or any Internet server. Instead, it will be encrypted and stored in what’s called the Secure Enclave within the A7 chip itself.
Is a fingerprint more secure than a password or passcode? — Not necessarily. In the security world, there are three ways to prove that you are who you say you are, with something you know, something you have, and something you are. Something you know is a passcode or password; something you have is a token, key, or even your phone; and something you are is a “biometric identifier,” like your fingerprint.
Using any one of those identifiers is known as single-factor authentication, and it’s considered strong authentication when you combine two or more factors. If you think about it (or watch enough TV), you can easily imagine ways to fool a fingerprint reader, ranging from a photocopy to a fake finger made from gelatin. Every fingerprint reader can be deceived, and doing so doesn’t necessarily require high technology.
Plus, if you have physical access to the database, you can run attacks against it just as though it contained passwords, by generating and testing fake templates. Not all algorithms and hashing functions are equally good, and it is easy to end up with a system that is weaker than the well-known ways we manage passwords.
In short, nothing is perfect, and a fingerprint alone isn’t necessarily more secure than a password. Worse, you can’t change your fingerprint. That’s why super-secure systems usually require a fingerprint and either a password or smart card.
Doesn’t my phone count as a second factor? — Sort of. Many of you may use your phone as a second factor to log in to services like Dropbox. In that scenario, you log in to the site with your username and password, and then Dropbox sends a one-time code to your phone, which it has on file. Since you know your password and have your phone, this counts as two-factor authentication.
Unfortunately, unlocking your phone is different, since the phone itself is the target. Thus, a fingerprint alone is still single-factor authentication, and not really more secure in a strict sense.
However, you are much less likely to loan someone your fingerprint, and while a bad guy might guess your passcode, the odds of someone stealing a copy of your fingerprint in the real world are very low, unless you are a high-risk target.
If it isn’t more secure, why switch to a fingerprint? — Practically speaking, for most consumers, a fingerprint is more secure than a passcode on your iPhone. It’s definitely more secure than a four-digit passcode.
But the real reason is that using fingerprints creates better security through improved usability. Most people, if they use a passcode at all, stick with a simple four-digit passcode, which is easy for an attacker to circumvent with physical possession of your iPhone. Longer passphrases, like the obscure 16-character one I use, are far more secure, but a real pain to enter repeatedly. A fingerprint reader, if properly implemented, provides the security of a long passphrase, with more convenience than even a short passcode.
As I wrote over at Macworld, Apple’s goal is to improve security while making it as invisible as possible.
Does this mean the death of passcodes on my iPhone — Not at all. First of all, iOS isn’t about to get rid of passcode support since only the iPhone 5s will have a fingerprint reader.
Second, as you can see in this image, you will always have the option of inputting a passcode instead of scanning a fingerprint.
Third, while many of us share our iPhones with our spouses and children, Apple officially supports only a single user per device. However, Apple has said that Touch ID will allow you to set up fingerprints for trusted friends and family, so they can easily access your device.
If someone steals my phone, does that mean they have my fingerprint? — Almost certainly not. There’s no reason to keep the fingerprint itself, just the template. And as mentioned previously, your fingerprints are encrypted on the iPhone 5s (we suspect Apple really means “hashed”).
Can someone gain access to my phone with a copy of my fingerprint? — Probably. As I mentioned earlier, unless you combine your fingerprint with another authentication factor, like a passcode, an attacker needs one piece to pretend to be you.
Realistically, almost no one needs to worry about this, although I fully expect there to be a number of articles written about the efforts of amateur spies to make fake fingers. I will also start being more careful when I attend certain hacker conferences, given my prankster friends.
Will I be able to log in to my bank with my fingerprint, instead of a password? — Using your fingerprint to log in to Web sites and apps, like those from your bank, might happen eventually, but not right away. Apple must first open up API support for it, then developers need to integrate it into both their apps and the back-end authentication databases. Apple said that other apps can use the fingerprint reader, but that your stored fingerprint won’t be available to those apps. Thus we suspect initial support will be using Touch ID to access a password stored in the iOS keychain, using API support of some sort.
App makers and cloud services who want direct fingerprint access, if Apple even supports it, will also need to redesign their systems to deal with scenarios like someone’s fingerprint being compromised, or a user who also logs in from a Windows-based computer that has a different fingerprint scanner. They can’t simply switch everyone to Apple-only fingerprint templates. (And as much as having an open standard for generating the templates might sound like a good idea — there’s even an industry organization called the FIDO Alliance to promote such interoperability — who knows if Apple would eventually support it.)
But again, I highly suspect Apple will, at least for a while, mostly rely on securing credentials on the phone using the venerable Keychain, perhaps adding a feature or API support that asserts the fingerprint for that registered user was authenticated.
Also, banks are legally required to use two forms of authentication. That’s why you likely have to enter a PIN when you log in from a different device, or you must do the email confirmation dance when you log in from a new computer. Technically, though, your phone could count as a second factor, and banks could update their systems to combine the fact of having your phone with your fingerprint for access.
Will I be able to use my fingerprint to log in to my work network? — Not right away. Although Apple is adding enterprise-level single sign-on (SSO) support in iOS 7, your work network and applications will still need you to authenticate using your existing username and password. SSO merely means you don’t have to re-enter those credentials for every work system. Over time I expect to see vendors offer tools to allow you onto your work network after you authenticate using your fingerprint on your iPhone, assuming your IT department approves.
Why is this so important? — Apple isn’t the first company to add a fingerprint reader to a phone. I’ve tested laptops with fingerprint readers and seen phones with embedded readers. The real excitement is that Apple will make this technology accessible to many millions of consumers.
Doing so will dramatically improve the security and usability of the iPhone 5s for average users. I hate needing to enter a strong passphrase on a tiny keyboard, especially when I’m walking around. A fingerprint reader will be far more convenient, and essentially eliminate the less secure four-digit passcodes most people use, if they use one at all.
Combine this with the fact that many users now use their phones as a second factor when logging in to a variety of cloud services, and you can see that improving the security of the iPhone 5s could generally improve the security of significant aspects of the Internet. That won’t happen overnight, but improving security at any access point improves security for the entire system.
Once we see usable fingerprint authentication made widely available for consumers, life for the average attacker is going to get a lot harder.
You wrote: "Practically speaking, this isn’t something hardly anyone needs to worry about..."
I don't think that's what you meant to say (think double-negative).
I've recast to make it more clear, thanks!
You wrote: "Worst yet, you can’t really change your fingerprint..."
Honest question: Couldn't I just switch to a different finger, or do all of my fingers have similar patterns?
I understand that all of your fingerprints are different and that the phone will store up to five prints leaving you at least five more fingers to use if your device is compromised.
Does anyone else have better information?
That is correct, Charlie. The 5s stores five fingerprints, either your own or those of trusted parties.
Sorry about that, we wrote in a hurry. Fixed!
Mmm... should I give my fingerprint scan to the guys at PRISM? No way.
Read the article: your fingerprint never leaves the phone.
Who said that? Apple? : D
Someone will attempt to intercept the data the iPhone transmits, you can be sure of that. They'll turn off other options in an attempt to isolate just the one exchange with the server. It will probably be encrypted, but even so you'll be able to eliminate the possibility of it being an entire fingerprint just based on the amount of data being transferred.
A finger print is a huge amount of data, the "digital summary" is a small bit.
The phone never transmits fingerprint data.
That was my point, Rich. Sniffing will prove the fingerprint isn't transmitted based on the size of the exchange. :)
Or, in other words: Sure, Apple says it. But we don't have to trust them. We can prove it.
I'd like a two factor combination option e.g. fingerprint plus a passcode for added security. if iOS password is more than 4 characters seems this would be a practical identity authentication option better than only print or pw...
I concur. This seems like the best way to go by far, especially since the fingerprint option is so easy. Enter the 4 digit passcode and tap the home button (read: fingerprint) to enter. Done! And way more secure!
Or, how about the Michael Johnston approach? Create a complex passcode but make it one letter or character long. What are the odds of being able to guess the single character? Used along with a fingerprint ID would be both easy and secure it seems to me.
RE: "four-digit passcode, which is easy for an attacker to circumvent with physical possession of your iPhone"
Actually, 4 digit pin on iOS can't be brute forced easily. iOS increases length of time between tries with each wrong entry.
On the other hand, Android devices pin can easily be brute forced.
Came here to say that.
Also, you can configure the phone to wipe itself after N retries and it is customary for phones with company profiles to have that set.
Not true I'm afraid. The attacker can use jailbreaking tools to boot the phone from a custom ramdisk image and then brute force the PIN fairly quickly (well under an hour). An iPhone with a 4 digit PIN is not secure.
Are you currently able to jailbreak an updated but never-jailbroken phone without unlocking it first?
can you clarify that jailbreaking tools would still work if the iphone had the "TEN ATTEMPTS THEN DELETE" option enabled on a 4 digit passcode ? i mean would the tool be able to avoid the limited ten attempts, or do you mean the tool can break in within ten trys ?
If iPhone’s unique device code is part of the hashing algorithm, then doesn't this represent a security risk? WHo else knows the Device ID?!
The article contains "... and then Dropbox sends a one-time code to your phone, which it has on file..." in the Two Factor Authentication part... This is a totally wrong information and shows that the author has not understand the DropBox (and other) Two Factor Authentication procedure. In fact there is nothing send from the server to the phone! Which is very important for this technique! Go and look it up! This "mistake" makes the remaining article a bit obsolete for me !
Oder,
When you add a new device to Dropbox, if you have two factor enabled, it sends a one time code to your cell phone as an SMS. I use this procedure regularly myself. After you authenticate, you can then authorize the device via OAuth for future access. It's a little different based on the Dropbox client you are using, but the essential process is correct. And you still need to log into the Dropbox site with your password, now with that one time, 6-digit code. Since the code only goes to your registered phone (something you have) and you use your password (something you know) it is 2-factor.
If you provide more specifics, that will help me understand what you think is incorrect.
One VERY BIG fly in the ointment: A few years ago I bought a ThinkPad with fingerprint id logon. I was in my mid-late 60s at the time. The only way to make the reader work is to lick my finger before scanning; it seems that as one ages, his fingerprints actually wear down some, and scanning them becomes unreliable. Getting past the hygienic aspects of the logon, it was a PITA. So I ended up disabling the reader and using password logon. Unless/until the new generation of readers solves this problem, it will remain a sideshow for tekkies to show off to their friends. Strangely, no reviews or commentators have addressed this point.
sas
I think that's an interesting perspective. I hope you'll get a chance to try a iPhone 5S and report back. If you have a friend or relative with one, maybe they could let you have one of their finger entries as a test. And, of all the things with aging to be concerned with, now we all know that the wearing down of our fingerprints is an emerging concern! Maybe there's a botox fix? ;-)
Also, http://www.scientificamerican.com/article.cfm?id=lose-your-fingerprints
Since the Apple approach is not to scan the fingerprint but to measure the capacitance of the sub dermal layers, would this actually be an issue? And, since we all upgrade our phones every year, I doubt that our "fingerprints" will have changed that much…
More seriously, I wonder how well the system will work when one's fingers are really cold or wet.
Apple told the WSJ that the fingerprint sensor doesn't like sweat, so I'm guessing wet fingers won't work well.
Since when is aging the only way to wear down the finger tip tissues? Manual labor can temporarily do the same thing, or is that an obsolete behavior? Yet the tissue can regrow somewhat. My fingers have had the trials and tribulations, and are nominally of similar, pre-baby boomer vintage, I've had more issues with conductivity variations on touch screens; one hand is less reliable than the other. Aren't idiosyncratic quirks difficult to accommodate when designing for large groups?
I want an iWatch with ONE feature: Let-me-in.
As soon as my iWatch is near my iPhone/iPad/Mac (proximity sensor, 2-3 meters/yards) they are unlocked. And as soon as my iWatch moves away from my iPhone/iPad/Mac, they lock automatically. Thus I only need to input my password once a day into my iWatch.
Also it should have a sensor which locks the iWatch when the watch strap is opened, so the password must be reentered. I think a robber won't cut my hand off my arm to get my unlocked iWatch, but cutting off a finger to unlock an iPhone 5S is more probable anyway.
The iWatch could even have a second emergency password which unlocks it like the regular one, but only for a few minutes, and also unnoticed calls the police and sends its GPS coordinates.
No other manufacturer except Apple can build such a watch, since most of the function (let-me-in) must be built into MacOS and iOS.
Love this article. Posted a link to it over on the Loop. Was wondering, is a capacitance reader vulnerable to a Play-doh copy of my fingerprints as some other readers are?
Thanks for the link, Dave! I'll leave Rich to the question about the dummy fingers.
Dave,
We don't know yet. It will certainly be susceptible to some substances, but not sure which ones. The ring (I think, no confirmation from Apple yet) adds a signal to your finger and that might reduce certain kinds of spoofing.
I expect people will figure it out and have it on YouTube within a couple hours of release. You can definitely spoof all fingerprint readers, but what works on specific ones is up in the air.
Cool. Fascinating stuff!
Found this, via Gruber: http://www.citeworld.com/security/22399/iphone-fingerprint-scanner-better-biometrics
In short, Touch ID contains an RF sensor as well, so it only works with living tissue. A dummy or severed finger will not work.
Too funny. Yup, found that same article. Thanks!
Here's the answer, from one of our readers:
http://www.citeworld.com/security/22399/iphone-fingerprint-scanner-better-biometrics
Would take a live finger to fool the sensor.
The fingerprint is kept in an "enclave" in the phone. Does it get wiped with an "Erase All Content And Settings"? The answer has implications regarding reselling an iPhone 5s and other future iPhones with this, and implications for what happens when an iPhone is replaced by a genius at an Apple Store
Here's hoping 1Paasword gets support to use fingerprints to log into my credit card and banking sites, and that the iPad gets fingerprint support. Online bill paying would be a much less cumbersome process.
One of my first jobs was with the US government where I was fingerprinted. Now retired, I wonder if these prints are still on file, and who would have access to them. I don’t expect to purchase an iPhone 5s, but if fingerprint are added to later Mac devises, could someone compare old prints with the fingerprint on an iPhone 5s or later Mac device?
In this case, it would seem unlikely, since your old prints are likely readable mostly with an optical reader, and it would likely be nearly impossible to reverse Apple's algorithm and extract the template from the Secure Enclave on the A7 chip such that the two could be compared.
Of course, if that first job was with the CIA and you had an exciting life as an intelligence agent and a foreign government wanted to steal your iPad in order to impersonate you to take advantage of your previous security clearance, perhaps it would be possible to move from an old print to something that could fool the Touch ID capacitive scanner.
Of course, threatening you with a wrench would be easier. :-) http://xkcd.com/538/
I find a thumb scan definitely increases usability, becuase that's one less password to remember.
My question is, can the four digit pin code be switched off? Is the pin always a secondary option if scanning fails?