Apple’s TouchID — A story of security, or convenience?

Everybody today seems to be either panicking or screaming murder at Apple because of the “revelation” by the CCC that TouchID – the new fingerprint-scanning technology in the iPhone 5S – is extremely easy to bypass. I find this both non-news and actually quite boring.

So first of all, what is this about? Well, basically it’s possible to lift someone’s fingerprint out of a glass or something, and then use that to reproduce a copy of the fingerprint, and use that to unlock the phone. I would argue that it’s probably possible to lift the fingerprint out of the phone itself, if you really want.

Why am I not excited by this method like it was a new discovery? Simple, because MythBusters used the same idea back in 2006 to work around a fingerprint-based lock. And even at that time it turns out that the fingerprint scanner from the lock, which was actual physical security, was less picky than the one from an USB device. Not surprising, as it looks like the lock only had an optical scanner.

Please don’t get me wrong, CCC did the right thing, it’s just that I don’t think it’s a new technique as some people try to paint it.

So, if TouchID is this easy to bypass, is it a completely useless move from Apple? Or, as some paranoids seem to tell it, is it a willing move from Apple to make their users less secure so that governmental agencies can more easily get data out of phones? Well, one thing is for sure: it’s not a more secure method than the PIN lock that has been available up to now.

On the other hand I’m not that quick to ascribe all of this to malice, as many do. Nor to incompetence. The problem is that the choices are not between PIN and TouchID — the choices are between PIN, TouchID and absolutely nothing, and a lot of people have been decider for the latter, because of the trouble into putting in a 4-digits PIN every time you want to use the phone. Yes I know, and most of you readers know, that an unlocked phone is an idea that goes into the absolutely stupid, but most people use iPhone because they want something that does not get in your way, as Android can easily do.

I don’t use an iPhone, although I do have an iPad, which I use less and less, and an iPod Touch by which I swear. I need the flexibility of Android.

Security conscious people are unlikely to move away from PIN – so their security is not going to be compromised, although I would have liked more than 4 digits – but people who were not using a PIN before, because too inconvenient, are more likely to use TouchID now. Which improve their general privacy.

A similar concept comes up if you look into passwords management: using a password manager/wallet is an option but you still have to come up with passwords. What most people realistically do, is to use always the same password, because it’s convenient. And extremely insecure.

On the other hand you have solutions like SuperGenPass that generates passwords out of a master password and the domain name. This is the solution that a colleague of mine suggested to me and that I’ve been using now for a while. It’s still not perfect security: if an attacker gets a hold of hashes and can get to the password through rainbow-table, it’s still possible to recover the master password… it’s much harder for the attacker in that case since you need multiple rainbow tables. And that’s supposing that they can identify the SuperGenPass users at all.

Update 2021-04-10: do not use SuperGenPass! As I wrote a few months after this post, SuperGenPass has significant limitations, and I would recommend everyone to instead use a proper password manager instead. I’ve migrated to 1Password and while not perfect either, it’s significantly better than SuperGenPass and similar approaches.

Here’s it what it boils down to: will TouchID make it so inconvenient to iPhone thieves on the street to try taking your phone on the go, compared to no PIN locking at all? Yes, most likely. Which basically means that its goal was reached. Will it prevent sophisticated thievery, or more targeted attacks? No, but a 4-digits PIN is unlikely to be much better, as you have just so many combinations.