iPhone 5S fingerprint reader: Doubling down on identity, a death knell to passwords?

iPhone 5S fingerprint reader: Doubling down on identity, a death knell to passwords?

Summary: Apple's addition of a fingerprint reader in its latest smartphone, the iPhone 5S, is part of its strategy to double down on device security.

SHARE:
TOPICS: Apple
45
upload-spinner_1
iPhone 5S' fingerprint reader, dubbed "Touch ID." (Credit: Apple)

Apple has unveiled its smartphone's latest weapon: a fingerprint reader it's calling Touch ID.

With its move, Apple could end up making the technology commonplace, as rivals might feel compelled to follow suit. It could be only a matter of time before passwords and passcodes are relegated to yesteryear.

In making the iPhone 5S one of the first mainstream smartphones in the Western market to include hardware security, Apple has not only declared war on passwords and weak security, but it has begun to reinvent the notion of device and online identity.

The iPhone 5S' fingerprint reader will act as a first line of defense against would-be thieves and hackers — even intelligence agencies, to a degree — against identity and content theft, fraud, and surveillance.

Apple marketing chief Phil Schiller said at the Tuesday event that the Touch ID fingerprint scanner will be used to access a user's device quicker, as well as preventing unauthorized users from accessing a device's data. App purchases can also be used with the scanner.

The fingerprint data will be stored on the device, and will not be backed up to iCloud, Apple confirmed.

Once a feature traditionally aimed at business customers, fingerprint technology has increasingly seen an uptick in consumer devices, notably laptops. With a swipe of a finger, a device can unlock or decrypt documents without the need for remembering passwords.

But fingerprint reading technology has been dogged with problems — namely, that it's not so hard crack — and that’s something Apple is trying to address. Motorola first launched its Atrix smartphone with fingerprint reading technology, but it was reportedly dropped as consumers complained of errors. In Japan, many phones designed in part as digital wallets for electronic payments also feature biometric security. This trend is set to continue later this year, followingreports of a push in the South Asian market.

In doing this, Apple is not only going after consumers, but businesses — with iPhones and iPads making their way into more companies.

The path Apple took to reach this point officially started long before the company acquired fingerprint and biometrics firm AuthenTec for $356 million in June 2012, with patent applications spanning back as early as 2009. Later, in October 2012, Apple inked a deal with Australian fingerprint security company Microlatch, sparking further rumors that a future iPhone would include fingerprint recognition technology, along with other security features embedded in its iOS software. 

scanner-2
The iPhone 5S' fingerprint reader authenticates a user's identity, preventing unauthorized users — such as thieves — from accessing the device's data. (Credit: Apple)

Biometric and fingerprint technology has long been criticized by security experts. Biometrics are not an exact science and can be fooled. In some cases, confectionary and Play-Doh can be used as simple and cost-effective ways to skirt fingerprint security. 

Apple's bid to future-proof the iPhone meshes well with existing security shifts and trends such as epidemic levels of phishing, device thefts, and malware. Its new fingerprint sensor likely means basic password security will take a backseat in favor of an increased focus on personal online identity. And it could negate the need for two-factor authenticationand password-reset questions.

The move may help companies like PayPal, whose apps and payment services rely on ensuring the utmost levels of security. 

PayPal Chief Information Security Officer Michael Barrett alluded to the iPhone 5S’ upcoming biometric technology at the Interpol conference in May. He said, according to Macworld, that users pick "poor passwords" and "reuse them everywhere." He added: "That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the Internet.” 

PayPal this year helped launched the Fast Identity Online (FIDO) Alliance, which is aiming to do away with passwords and codes, focusing instead on common and open standards. BlackBerry, Google, and Lenovo, a major player in the Chinese market, are also members of the group.

While devices may be replaceable, data loss can be catastrophic for the owner if it lands in the wrong hands. Despite backups and cloud-based storage, this "security" to "identity" shift suggests the iPhone maker recognizes that data is tied to an identity, not an easy-to-crack access code.

It comes just months after calls from New York Attorney General Eric Schneiderman for the smartphone industry to make devices and data more secure.

Apple execs met with Schneiderman and San Francisco District Attorney George Gascón, but the company was already doubling down on software security. Pre-release versions of iOS 7already included an "activation lock" feature, which requires users to enter a valid Apple ID to authenticate the device. This de facto "kill switch" is designed to bolster the device's security at a software level.

The possibilities for this technology could change the entire personal security landscape altogether.

While a password can be as secure as a four-digit code or lengthy alphanumerics, a fingerprint could become the gateway to Web-based authentication — something not too uncommon in this day and age where we make payments electronically or wirelessly from our smartphones.

The app ecosystem will now be able to tap into a reliable and secure mechanism that can authenticate the person, not the device or the data, as the digital signature behind transactions and decisions. The possibilities extend as far as in-app purchases, banking, and connecting to virtual workplaces, while at the same time reducing accidental app and game purchases and adding an extra layer against malware.

While Barrett remained optimistic that this year more devices will contain identity management and security technology, he was less so about the death of the password. "Passwords won't disappear overnight," he said.

However, Apple has fired the starting pistol on what it sees as the future of security and online identity, with a layered and multifaceted idea of how we connect with our devices and how our devices represent the user on an identity level.

This article was first published on CNET.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • Apple has the gift...

    ... of turning something that nobody cares about into something everybody feel they must have.
    Having said that, I doubt fingerprint authentication is going to be the future of security, It's nothing new and its use on computer devices must be really small. Critical access requires something stronger than fingerprint security, as is pointed in article this is a flawed technology.

    Stolen mobile devices poses a big security problem, but I don't see average consumers much worried about it - I don't see many using face unlocking or pattern unlocking (...) on their phones - but this is a personal perception, maybe very flawed.
    AleMartin
    • Only at the beginning in the past

      Siri, Facetime are somethings that "everybody feel they must have" at the beginning, but most people don't care about these features after one month.

      Fingerprint authentication is not something that many people really care about. I got lots of friends who never set any password for their phones. It is useful but it is unlikely to attract everybody this time.
      Rockchan
    • Security

      The purpose for the fingerprint security will be things like banking apps written to use it, not to secure the phone itself. It will become a bigger market as mobile banking continues to grow. Authorizing payments by fingerprint is much more secure than authorizing by password.
      hayneiii@...
  • The question will be how good is the reader and the recognition software

    The real problem with the various biometric systems is that in pushing down the price point, the security of the device is pushed down even more. I've dealt with firms that were developing these and it is scarry how easy it was to convince the device that this replica was the correct fingerprint. In many cases there was nothing needed you would not find in a modern office to achieve a fingerprint that was recognizable for a colleague.

    Hopefully the Apple reader is better than that, but until it has been fully tested out saying that this helps BYOD security is nonsense.
    oldsysprog
    • the REAL question...

      ...is this: how long before the NSA has access to the largest and easiest to get fingerprint database?
      PsauQro
      • I think they have an app for that already

        Just kidding... but maybe they do :)
        AleMartin
      • It's only stored internally on the device

        so there's no "database" for anyone to hack.

        Not to say that someone isn't going to try to find a way to hack into the system itself to access the fingerprint data, but that would have to then be done individually on each phone.
        spdragoo@...
        • I don't trust apple

          "It's only stored internally on the device"

          I don't believe that this is true.
          toddbottom3
          • Evidence?

            ... anything at all?
            ClearCreek
          • Oh Toddy!

            We have no doubt that you don't believe anything that Apple says as the truth.

            Why are you still sore that Jobs fired you? Get over it man!
            Gr8Music
          • You can't make this stuff up.

            The tinfoil hat club is so blinded they will make anything up. Seriously.
            Bruizer
          • Just because your favorite company cannot be trusted

            Doesn't mean others can't. It's your favorite company Mr. Microsoft MVP, that has WP send data dumps to remote Microsoft servers, collects a copy of every text, every webpage you read, every skype video call, every voice call from your Lumia phone. All of which is store "Un-encrypted", so it's easier for them to comb through.
            Troll Hunter J
      • A Real Hacker Outside There

        great for pro hacker outside there
        Anonymous1511
      • Seriously?

        They already do. Medical records give them fingerprints and footprints.
        Champ_Kind
  • Asian market

    Despite the problems in the Atrix I expect the fingerprint readers in the Asian smartphones had ironed out the wrinkles. I'm very surprised that companies like Samsung didn't offer that feature in their flagship phones here.
    MajorlyCool
    • Re Samsung didn't offer that feature in their flagship phones here.

      It will definitely be in the next Galaxy model. With "better" spec than Apple's.
      danbi
  • Biometrics are not the future...

    This concept of expecting biometrics to replace passwords is at best naieve. Those of us who have been working in the infosec industry knows that biometrics have siginificant problems with consistency. People are going to find out that they are going to have problems logging in after their fingers are cut, burned, or even if they wash their hands. After you do your handwashing, the water will have an affect on your fingerprints that will create fales negatives.

    Another problem is that it is easy to defeat. While people may not believe it, the tests performed by the Mythbusters that copied fingerprits from every day items and then used them on allegedly secured locks can happen.

    I would highly recommend that if you use the biometrics make sure that you use whatever backups are available. Make sure passwords are set and other measures are taken because if somnething happens and your fingerprint will not work you will not be able to get into your phone.
    sbarman
    • The print reader on the iPhone works off capacitance

      the subdermal layer and 3D topography of the print. It's pretty much immune to all the things you mentioned.
      baggins_z
    • you can copy sub-dermal layers?

      http://www.apple.com/iphone-5s/videos/#video-touch

      It is claimed to read sub-dermal layers, which is currently impossible to copy, without removing a person's finger.
      Troll Hunter J
  • Glad someone else cited Mythbusters

    Admittedly, the Mythbusters got the best result when they enlarged the print, improved it with marker pens (to fill in gaps), and reduced it, then put it on, if I remember correctly, something similar to rubber cement. Not as easy as it sounds, but if you're the butler to Mr. Gotrocks and he's stiffed you for raises in the last ten years, you might be tempted to put out some extra effort. Not to mention if you are spying for your country.

    Fingerprints may be stored inside the phone (possibly as a one-way hash code), but Siri is another matter. Considering that Siri does NOT interpret the user's voice inside the phone, but instead sends it to an Apple server, and after interpreting the query, saves both the decoded query and the voice sample by account, to make future interpreting faster, and considering that Google has a similar system for Android phones, it may be possible to hack into the Apple or Google voice servers and mine the data for a given account to get a voice profile that enables a computer to create a voice sample of ANYONE using those services speaking ANYTHING the hacker wants that person to say. They could make "you" do anything from calling your boss and cursing him out as "you" quit, to making a radio clip (or with help from good animators, a video clip) of a celebrity or political figure "saying" something incriminating or alienating to voters, to creating a "confession" during interrogation for a crime, in order to frame a suspect.

    If the hacker was REALLY good, the imitated voice could even fool a voiceprint security device that is designed, in order to thwart a simple audio recording, displays a random phrase and asks for the phrase to be spoken by the authorized user.

    So if you have an iPhone with Siri, or the equivalent feature on your Android, and this idea frightens you, ask a different friend, at random, to say each query for you. Just imagine what the Republicans in 1940 could have done with the ability to imitate FDR telling someone on the phone that he "likes Hitler, but doesn't want to lose the Jewish vote."
    jallan32