Let’s clear this up. Correctly.

A lot of people are going panicky over Apple’s fingerprint sensor, the TouchID. From Apple-haters to journalists, there’s a lot of crap-talk about why TouchID is quite insecure and how Apple’s assurances about fingerprint-data security is actually weak.

Let’s first understand TouchID in its true context. The TouchID is often talked about as a replacement for the passcode but in reality, it’s just a faster way to authenticate things where a passcode is used. So basically, it’s not a replacement but a quicker way to enter the passcode.

One of the partly-silliest arguments against TouchID that we hear a lot borders around the recent NSA snooping and how fingerprint data might be leaked to the authorities. Let’s just go back a little and remember that your fingerprint data is all over the place already. It’s available with the government through a lot of forms so if NSA was going to pick your data, they won’t have to go to Apple for that.

iPhone 5S Fingerprint Sensor TouchID

Secondly, what if hackers get into TouchID’s secure enclave within A7 and lift that data? Re-engineering a text/numeric data into a fingerprint image is not possible, according to Apple and this kind of a security is all-too common and effective. What happens when you place your finger on the home button is that your fingerprint image is scanned, converted into encrypted data (not image anymore) and then it is cross-checked with the encrypted data that exists within the enclave.

The third of all skepticism – and probably the only genuine panic of all – is what if someone can gain access to your iPhone and use a fake fingerprint to authenticate? This is important because The Verge reports that hackers have gained such an access.

In this case, the first reasoning would be this: if your iPhone – without TouchID and only a passcode – gets into the hands of the wrong people, I think that poses an equal risk of data and identity-theft. TouchID doesn’t fall into the realms of culpability in that scenario.

However, it’s true that if someone gets your iPhone 5s and has a fake copy of your fingerprint that can be used to authenticate the iPhone 5s, things can go bad. Purchases can be made. Data can be accessed. And if you’re so dependent on your iPhone 5s, credit card data might get lifted.

But, by and large, TouchID is actually a positive step forward despite all the hate and skepticism that surrounds it today. It’s a huge step forward in usability and security because succeeding with a fake fingerprint has a far lesser probability than hacking your passcode.

  • Bill

    Are you paid by Apple, or just really badly educated in the field that your employed in? ” So basically, it’s not a replacement but a quicker way to enter the passcode.”

    Yes, basically it is a way to replace the passcode. There is really no way at all you can argue that it isn’t a replacement for it, since it replaces it.

    “Let’s just go back a little and remember that your fingerprint data is all over the place already. ”

    No.. It isn’t. The vast majority of people have never given their fingerprint away. Yes, it could be extracted at a low resolution fairly easily from things you have touched, it’s unlikely the government does this as it would take a lot of manhours verifying that it was actually your fingerprint and that it was clear enough to be useful, but possible.

    Getting it at a high resolution like the iPhone does, is just ridiculous to think the government has this for the majority of people. Without purposefully having your finger scanned it would take a huge number of incomplete fingerprints that you leave behind, or secret spycameras on things you touch. The manhours and the level of secrecy required to do this is clearly too high.

    “Secondly, what if hackers get into TouchID’s secure enclave within A7 and lift that data? Re-engineering a text/numeric data into a fingerprint image is not possible, according to Apple and this kind of a security is all-too common and effective. What happens when you place your finger on the home button is that your fingerprint image is scanned, converted into encrypted data (not image anymore) and then it is cross-checked with the encrypted data that exists within the enclave.”

    Utterly wrong. Encryption is most certainly not impossible to break. Infact, it is designed to be breakable. Encryption requires it to be slow enough that breaking it on existing computers via brute force is impossible, i.e. lifetime of the universe sort of timescales, but fast enough that it can be verified quickly so you can actually use it. Hence, encryption by necessity is not secure forever. As computers become faster, new encryption standards are used as old ones become completely broken since new computers are fast enough to break it. Look up old encryption standards, they can now be broken just by typing them into google.

    The data is most likely safely encrypted at the moment (though possibly not with how the NSA has inserted backdoors into many encryption methods) however it definitely 100% certainly will not be secure forever, by design. Using fingerprint ID at the moment is guaranteeing that your fingerprint will be stolen after 10 or so years. Fingerprint ID will by necessity not be secure until (at least) the end of Moore’s law is reached, and even then only assuming that it can be proven that the encryption cannot be broken by a method other than brute force (which isn’t known yet, it is possible that for instance P=NP and a polynomial time method of factorization will be found)