Thoughts on Apple’s Touch ID Fingerprint Reader

Publish date:

I’ve been using my new Apple iPhone 5S for long enough now to form an opinion about Touch ID, it’s built-in fingerprint reader. As a security person, I feel the need to set an example when securing my personal data.  For that reason, I set a complex (6-digit)  PIM on my iPhone.  That’s great, but […]

I’ve been using my new Apple iPhone 5S for long enough now to form an opinion about Touch ID, it’s built-in fingerprint reader.

As a security person, I feel the need to set an example when securing my personal data.  For that reason, I set a complex (6-digit)  PIM on my iPhone.  That’s great, but I have to re-enter it every time I pick up my phone (about once every 5 minutes, throughout my working life!).  That’s a big nuisance, and it’s probably why roughly 50% of iPhone users pre-5S didn’t set a PIN.  But with the fingerprint reader, I can unlock my iPhone quickly and easily.  Now, about 80% of iPhone 5S users set a PIN and register themselves to use the fingerprint reader.  That’s a significant security improvement.

How secure is Touch ID?  In theory, it can be broken: if you have a fingerprint image for the correct finger, you can create a fingerprint overlay for someone else to use.  That’s not trivial to do however (see this link to understand just how difficult it is).  To succeed, you’d need to execute a targeted, carefully-planned military-style operation.  Touch ID may not be good enough for nuclear launch codes, but is good enough for my photographs of cats.

Touch ID doesn’t store fingerprint images in the cloud; it stores them in a special location on the iPhone’s A7 chip, called a secure enclave.  It doesn’t store the image in an externally usable form, it stores a mathematical representation, derived from it, from which it shouldn’t be possible to reconstruct the original image.  Apple claim that even they have no access to this.

Related Posts

Cybersecurity

Is your Operational Technology (OT) environment insider safe?

Dan Leyman
Date icon September 8, 2020

Organizations need to exercise due diligence and care to ensure their vendors, contractors,...

Cybersecurity

Unlocking the power of AI and SOAR for end-to-end cybersecurity

Geert van der Linden
Date icon September 3, 2020

For AI to work effectively, organizations need to build a roadmap that addresses...

Cybersecurity

Identity access management (IAM) – the new normal

Dino Karanikas
Date icon August 27, 2020

Having an upgraded IAM plan in place will not only let you sleep better at night; it will...