Thoughts on Apple’s Touch ID Fingerprint Reader

Publish date:

I’ve been using my new Apple iPhone 5S for long enough now to form an opinion about Touch ID, it’s built-in fingerprint reader. As a security person, I feel the need to set an example when securing my personal data.  For that reason, I set a complex (6-digit)  PIM on my iPhone.  That’s great, but […]

I’ve been using my new Apple iPhone 5S for long enough now to form an opinion about Touch ID, it’s built-in fingerprint reader.

As a security person, I feel the need to set an example when securing my personal data.  For that reason, I set a complex (6-digit)  PIM on my iPhone.  That’s great, but I have to re-enter it every time I pick up my phone (about once every 5 minutes, throughout my working life!).  That’s a big nuisance, and it’s probably why roughly 50% of iPhone users pre-5S didn’t set a PIN.  But with the fingerprint reader, I can unlock my iPhone quickly and easily.  Now, about 80% of iPhone 5S users set a PIN and register themselves to use the fingerprint reader.  That’s a significant security improvement.

How secure is Touch ID?  In theory, it can be broken: if you have a fingerprint image for the correct finger, you can create a fingerprint overlay for someone else to use.  That’s not trivial to do however (see this link to understand just how difficult it is).  To succeed, you’d need to execute a targeted, carefully-planned military-style operation.  Touch ID may not be good enough for nuclear launch codes, but is good enough for my photographs of cats.

Touch ID doesn’t store fingerprint images in the cloud; it stores them in a special location on the iPhone’s A7 chip, called a secure enclave.  It doesn’t store the image in an externally usable form, it stores a mathematical representation, derived from it, from which it shouldn’t be possible to reconstruct the original image.  Apple claim that even they have no access to this.

Related Posts

Cybersecurity

Secure Operational Technology: inhibitor or catalyst?

Date icon April 7, 2021

The OT environment, with all its cybersecurity measures, must be managed and monitored.

Cybersecurity

Securing critical infrastructure environments, no matter their size

Larry Alls
Date icon March 16, 2021

Aside from regular risk compliance assessments, there is a need to ensure municipalities are...

Cybersecurity

A converged approach to IoT cybersecurity

Niket Raut
Date icon March 3, 2021

The huge number of devices scattered across many locations, both stationary and mobile,...