New iPhone fingers security with prints over passcodes
Computer security specialists say fingerprint recognition technology is a welcome move; but they also note that it is not flawless, and resourceful hackers will still craft attacks.Updated: Sep 12, 2013 11:24 IST
With the swipe of a finger, Apple could jumpstart a new era of smartphone security and strip away fear of tending to banking or other business on mobile devices.
Fingerprint recognition technology built into a sophisticated iPhone 5S set to hit the market on September 20 was hailed by computer security specialists as a welcome move that rivals will likely rally to match.
"It could be amazing," Lookout principal security researcher Marc Rogers told AFP on Wednesday.
"What is going to happen really depends on Apple's implementation," he continued. "We've seen Apple take obscure technologies and make them mainstream overnight."
Apple on Tuesday unveiled two new iPhone models, one of them a top-of-the-line 5S with innovative features including a fingerprint sensor to use as a security measure in place of passcodes.
"You can just press the home button to unlock your phone," Apple vice president Phil Schiller during an event at the company's Silicon Valley headquarters. "You can use it to authenticate iTunes purchases."
Schiller added: "We have so much of our personal data on these devices, and they are with us almost everyplace we go, so we have to protect them."
Reticle Research principle analyst Ross Rubin described Touch ID as a "show stealer" that addresses "a necessary annoyance that many consumers have to deal with many times a day."
Studies by Apple and Lookout, which specializes in protecting smartphones and tablets from hackers, show that less than half of smartphone owners protect handsets with access codes
A camera sensor built into the 5S home button at the bottom of the smartphone face peers deep into layers of skin to analyze loops and swirls of fingerprints.
Data from fingers is stored exclusively inside the sophisticated Apple-made chip that powers the smartphone and is refined every time Touch ID is used, according to Schiller.
"The company says that fingerprint data is encrypted and not sent to its (or anyone else's - sorry, NSA) servers," security researcher Graham Culey said in a blog post, making a reference to reports of US spying on the Internet.
Touch ID lets 5S owners store as many as five fingerprints, meaning people will be able to let spouses, children, or others they trust share access to smartphones.
Combining fingerprint recognition with "second-factor authentication" such as verification codes ramps up smartphone security tremendously, according to Rogers.
"Imagine a banking application that lets you press a fingerprint to gain access, but to transfer money you also enter a four-digit code," Rogers said.
"It could make mobile devices more secure than their desktop counterparts."
Whether Touch ID transforms mobile commerce is likely to depend on how Apple shares the technology with the creators of applications tailored to run on iPhones.
"It is not unreasonable to imagine where Apple might go in the payment space for things outside the Apple ecosystem with a PayPal or Square type function," said Forrester analyst Charles Golvin.
"Some aspect of doing commerce in the real world is on the horizon for Apple."
Computer security specialists note that fingerprint security is not flawless, and resourceful hackers will still craft attacks.
"Your fingerprint isn't a secret, you leave it everywhere you touch," said security researcher Bruce Schneier.
Fooling some of the better fingerprint sensors with rubber fingers is difficult, but possible, according to Schneier, who noted that a researcher in Japan managed the trick more than a decade ago with candy gelatin used to make Gummi bears.
"The best system I've ever seen was at the entry gates of a secure government facility," Schneier said.
"Maybe you could have fooled it with a fake finger, but a Marine guard with a big gun was making sure you didn't get the opportunity to try."
Touch ID also prompted speculation about movie-style scenarios in which someone's digit is lopped off to unlock a stolen smartphone.
Security specialists thought the gruesome tactic unlikely, especially since PIN code access will likely remain in place as a way to get access to a smartphone if something goes wrong with the fingerprint scanner.
"It's inconceivable that malicious hackers and data thieves won't try to subvert Apple's Touch ID fingerprint scanning technology," Cluley said.
"How capable they will be at doing that, remains to be seen."
First Published: Sep 12, 2013 09:58 IST