"So hyperbole aside, #Apple just set back "real security" several years with this fingerprint gimmick (for the masses)? Awesome."That was supposed to be a bit ironic, and some people got that others got mad at me, as well as insightful. I've been thinking a lot about this Touch ID that Apple has released with their latest version of the iPhone, the 5S. For me it all comes down to the opening paragraph of the above references page on Touch ID -
"Much of our digital lives are stored on our iPhones, and everyone should use a passcode to help protect this important information and their privacy. Unfortunately, not everyone does; more than 50 percent of smartphone users don't use a passcode. Your fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike. Touch ID is a seamless way to use your fingerprint as a passcode. With just a touch of the Home button of your iPhone 5s, the Touch ID sensor quickly reads your fingerprint and automatically unlocks your phone. You can even use it to authorize purchases from the iTunes Store, App Store, and iBooks Store."Before we get into this, let me first give credit to Apple for good things they've done with the latest version of the iPhone and beyond. First, they've forced everyone to put in a passcode - this is already a leap forward. I've been telling people to protect their phones with a passcode, but it seems like every day I see someone new who isn't following that line of thinking and I have to explain all over again. So this push to something is better than nothing. Also, a 1 in 50,000 chance is always better than a 1 in 10,000, but when you consider many people never even use the passcode feature before this version of the phone - this seems kind of irrelevant. I wonder if Apple has statistics on how many people never enable the passcode at all, I'd be much more interested in that - although I suspect no one will ever give this information out, unfortunately.
Now - let me explain why I call Touch ID a gimmick. But one more thing... let me tell you what I'm taking as truth here...
- Apple is a largely consumer-based company, and markets primarily to the consumer
- The consumer demographic doesn't necessarily know the difference between good security and the stuff they see in the movies
- If you put 1 and 2 together above, you get "What Apple says people believe as gospel" for a large part of their user base (in other words: not for everyone)
OK, now that you understand where I'm coming from, let me move on.
To explain why I believe Touch ID is a gimmick I will simply cite two sources on the subject. First a presentation from PacSec 2006 (that's right 7 years ago) on the quality and worthiness of fingerprint readers as authentication mechanisms. You should walk through those slides on your own (Apple probably missed them), but if you're in a pinch let me sum it up for you with the conclusion Starbug reaches-
"Don't use fingerprint recognition systems for security relevant applications!"You're probably saying to yourself, "self, but this application isn't necessarily high security" and I would agree with you if you weren't wrong. The problem is that this fingerprint application is the key to your phone, and can be set up to authorize purchases as Apple tells us. As soon as this catches on the average user will be asking for Touch ID to be the authenticator of choice for FaceBook, Twitter, and other authentication type applications. Trust me, it'll happen. Right - but there's a 1 in 50,000 chance of your fingerprint colliding (being close enough to) someone else, right? Except that after 5 unsuccessful attempts you still have to use your passcode so you don't get the full 50,000 tries. Wait. Then we're back to the 1 in 10,000 4-digit passcode? That can't be right ...logic doesn't make sense here. Does it make sense to you?
OK, moving on, instead of trying to tell you why I think fingerprints are a bad idea for authentication, I'll just point you to Dave Aitel's "Daily Dave" mailing list which quotes Dave ...
"...[T]here are two important reasons why biometrics won't work, and why the old-fashioned password is still a better option: a person's biometrics can't be kept secret and they can't be revoked...Since a person can't change their fingerprint or whatever biometric is being relied upon, it's 'once owned, forever owned.' That is biometrics' major failing and the one that will be hardest to overcome." - Dave Aitel, USAToday, 12 September 2013"So let me sum it up for you...
- Because it's Apple, you'll now have a massive user base believing fingerprints are infallible, and likely be demanding this type of authentication for more applications (psst! your enterprise application is next)
- Your super-secure fingerprint vault and amazing scanner (1 in 50,000 chance of collision) still defaults to a simple passcode (1 in 10,000 chance of guessing) after 5 failure guesses
- Your fingerprint is relatively simple to find, and duplicate because it's not secret
- You can't change your fingerprint once it's copied and compromised (oh oh)
But now we get to the really fun part, in case you're still not clear on why this is a gimmick at best, and a bad, bad idea at worst. Put your tinfoil hat on and follow me here for a minute.
Apple now has control of one of the largest fingerprint stores in the world (albeit mathematical representations, and distributed ... so we're told), potentially more than many local law enforcement or federal databases - by sheer size. Remember there were more than 9 million iPhone 5S's sold just over the weekend from Sept 20 - 22nd. How long until the NSA or some Federal entity comes calling and asking Apple for access to that mechanism, or ask Apple to modify the code? Feel secure right about now, do you?
So why does this set back real security at least a half-decade? In my mind, we the "community" have been working very hard to change end-user's behaviors and to get them to make more complex passwords (pass-phrases) and not re-use, etc... and now along comes Apple promising security with the swipe of a finger. And just like that ... poof all that work we've done is out the window. Users will swipe their finger, enter 1234 as their backup pass-code because the fingerprint is good enough, and we're back to where we started.
 CCC breaks Touch ID blog post - http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid