As predicted, Apple yesterday announced the iPhone 5Swith a fingerprint scanner. This feature will allow users to simply touch the home button to unlock the device, assuming they have stored their unique pattern in the iPhone’s protected memory. This approach to locking a phone is a fine balance between security and convenience, but it’s far from absolute. Just because your fingerprints are unique, that doesn’t necessarily mean no one can use them to gain access to your phone.
If you have a password or PIN code keeping your phone secure, that’s something you can easily keep to yourself. However, you leave fingerprints on everything you touch. Someone with just a little know-how could possibly retrieve those prints from a smooth object and use them to bypass the scanner.
Some fingerprint scanners are easier to fool than others, though. It all comes down to how meticulous the system is in making sure only authorized users are granted access. Abiometric system can fail to do its job in one of two ways. It could be too loose with the standards and allow the wrong person in, or it could be too strict and keep the authorized user from accessing his or her data. The second kind of failure is by far the more irritating, and that’s the one Apple is going to want to avoid. This is a company that prides itself on the user experience. A phone that you can’t unlock is not a good experience.
The iPhone 5S fingerprint reader is probably tuned to ensure users don’t have to swipe more than once. There are many things that can affect the appearance of your fingerprints — cold weather, moisture, or even a small scratch. Something that the new iPhone has going for it is the use of capacitive technology to acquire the image of your fingerprint. This should be enough to ensure a simple photocopy can’t bypass the scanner. (See: How to bypass an Android smartphone’s encryption and security: Put it in the freezer.)
Your iPhone isn’t Fort Knox, though. It’s probably fine if the device allows some wiggle room in fingerprints. Just a few frustrating instances where the device denies access, and most people would turn the feature off. When the iPhone 5S is released, everyone is going to try to fool the scanner. This will probably become the most common consumer-level fingerprint reader on the market. We will discover ways to fool it eventually, but maybe that’s not the real problem.
Apple went out of its way to explain that your fingerprint data is stored on the A7 ARM chip, not in iCloud, and not anywhere else online. Apps are not supposed to have access to the encrypted fingerprint data, but this makes any potential security flaw a much bigger deal. If the Touch ID data could be extracted by an exploit, it would give the attacker your fingerprint instead of a password. Passwords you can change, fingerprints not so much.
Additionally, Apple must have some access at a low level to read and write new fingerprint data. So is there some method for extracting it if you have the device in hand? If so, law enforcement agencies, such as the NSA, would probably be quite interested in that. Maybe it’s best to just stop touching things.