Does the iPhone 5S Fingerprint Tech Make You Safer? $aapl $goog
Apple’s biggest contribution to the technology world has been its ability to bring order to chaos. The iTunes music service is the best example of this: before iTunes, the world of music downloads was the Wild West. There were outlaws, like Napster and its rivals, who ran clunky attempts to commercialize the rogue industry out of town. Apple changed all that by making the music download experience uniform and simple.
The most promising element of Apple’s new fingerprint scanner, announced as part of the new iPhone 5S on Wednesday, is the potential to bring order to the chaotic world of personal gadget security. The Touch ID system will let users wake up their phones with a simple finger touch. It’s a big step forward, but it shouldn’t be confused as a big step forward in security; it’s more of a big step forward in convenience and a small step forward in security.
Let’s get this out of the way first — Apple will have to provide some alternative mechanism to unlock phones, and that means hackers and criminals will be able to circumvent Touch ID. Fingerprints suffer damage (kitchen cuts!) and fingerprint readers break. Apple will have to offer the equivalent of a password reset option to those folks, and just like all other “lost password” retrieval systems, that will almost certainly be the weakest link in the chain. By definition, it can’t be any stronger than current systems. Touch ID will be easier to use than PIN codes, resulting in happier (if not much more secure) users, and that’s why Apple is adopting it.
Security Is (Somewhat) in the Hands of the User
That said, we’ve already heard a tremendous amount of catcalls from geeks since the announcement of Apple’s Touch ID, describing all the various horrible things that can happen to users. Fingers can be cut off and used to unlock stolen phones, certainly. It’s possible that prints can be lifted off martini glasses in bars and molds made, also, though there’s hope that Apple’s capacitive sensor system will make that harder to do.
However, it’s this kind of hand-wringing that has crippled the security industry for years, prevented implementation of all sorts of creative security technologies, and left most users with a 50-year-old user/password system protecting most of their digital lives. While a strong password stored only in a user’s brain is the most secure system we have, in reality most users pick horrible passwords. Many iPhone users don’t even bother setting a four-digit PIN, those who do pick common codes like “1234,” and countless others wouldn’t bother if their e-mail server didn’t insist on it.
In the real world, making security more convenient also makes it more secure, because behavior is more important that technology. A strong password is no good when it ends up on a post-it note tacked to the monitor.
For years, researchers have been talking about the “death of the password.” In the past, I’ve predicted that passwords wouldn’t die until there was a truly horrendous security breach, such as a million people losing money via online banking. Last year, millions of passwords were compromised at brand-name sites liked LinkedIn, but people barely reacted.
Part of the reason: There are far too many alternatives in the security world, each one with theoretical (and real flaws). Voiceprint systems can be hacked via recordings, Hollywood has shown. As with fingerprints, retina scans are subject to, ahem, physical attacks. Facial recognition, used by some smartphones now, is so clunky that it hasn’t caught on. Token counter keyfobs, popular with high-security firms, are subject to theft of the counter creation formula.
All those flaws have been enough to make tech companies shy away from adding security tech to all but the most security-conscious employees, ending any possibility of agreement around a standard. Apple is one of the few firms to create such a standard, and it’s possible Touch ID will accomplish that. Users will get used to flashing their fingerprint to unlock a gadget, and it’s easy to see how the standard could spread to other devices.
Sure, fingerprint readers can be tricked, but the biggest security problem Apple faces at the moment is theft. Law enforcement officials say Apple gadgets have actually caused an increase in crime. Will street thugs who rip iPhones out of subway riders’ hands be able to create fake fingerprints on a mass scale? Perhaps a supply chain might develop, but I think that’s far-fetched, and it will be expensive, making theft less lucrative.
Moving Beyond the Password
Should fingerprints become a standard? Let’s review the conceptual options at play for security firms who want to move beyond the password. Security techs fall into four categories:
- Something you know (passwords)
- Something you are (fingerprint, retina)
- Something you have (debit card, keyfob)
- Something you do (how you type, how you walk)