On the Effective Security of Touch ID

Marc Rogers, on Touch ID’s susceptibility to high-quality spoofed fingerprints:

Touch ID is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.

Clearly Touch ID is better than no passcode at all — which Apple claims is how the majority of iPhone users (and smartphone owners in general) have their devices configured. Further, I think it’s better than a 4-digit PIN. It seems far easier to me to spy on someone entering their PIN than it would be to capture a high-resolution fingerprint (from their correct finger) and reproduce it in way that works to fool Touch ID.

(The new lock screen PIN entry UI in iOS 7 might even make it easier than before to snoop someone’s PIN.)

Tuesday, 24 September 2013