All these academic arguments about the security of fingerprints are interesting but completely are detached from the day-to-day use of TouchID.
I've been using it for about a week or so now. It's incredibly convenient. It unlocks my phone almost instantly. It prevents random people near by phone from being unable to unlock it. If a thief got their hands on it, they'd have a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.
All in all TouchID basically removes almost the entire burden from the security of having a locked phone. It's actually faster to unlock my phone with TouchID than codeless swipe to unlock, so it's a no-brainer to turn it on. It doesn't matter that the NSA probably has my fingerprints, in practice it prevents most people from getting into my phone in a way that is transparent and easy to use. If the spooks want my data, they can already get it.
I think your response raises an issue of perspective. Are we focusing on fingerprint technology from a user's point of view - or are we considering its implications over many years?
This reminds me of certain U.S. Supreme Court decisions. As someone who's interested in constitutional law, I often find myself defending things that seem trivial and nitpicky. Why does it matter if the police enter one drug dealer's home without a proper warrant? Who cares if we restrict someone's speech, considering that the person was, say, a racist whose ideas were ignorant and offensive?
Of course, the content in this analogy is very different. I'm not comparing fingerprint scanners to crimes. But the logic is very similar: when judging law and technology, respectively, it's important to consider how seemingly small decisions serve as a precedents for bigger trends.
If fingerprint scanners become a common replacement for passwords, and the author's argument is correct, the scanners may dramatically change our security and expectations of privacy.
Consider the thorny issues of courts forcing people to turn over passwords to decrypt phones to implicate themselves. Typically, it's a constitution tarpit as you should not be forced to implicate yourself.
However, your fingerprint is a username in that case because it is all over the place. The police already have it. Don't be fooled, there are certainly kits being sold to law enforcement to dupe TouchID. You're data is less protected from those that you'd probably prefer not have easy access to it now.
This is a disadvantage only when you are on trial. That's a pretty extreme contingency, and I think most people who aren't internet privacy advocates wouldn't be particularly worried about their phones, of all things, after they've been arrested and indicted.
Outside the HN bubble, this is an acceptable tradeoff. People who are concerned can continue to use passwords.
Outside technological bubbles, people don't understand the implications of technology in regards to security and privacy. You're speaking about "tradeoffs" however people don't understand the tradeoff and will think fingerprinting is secure, because look, Apple is doing it.
Therefore it is up to us to make the right choices. That we aren't doing it, choosing instead to defend flawed technological improvements and the companies doing it, is very regrettable.
> This is a disadvantage only when you are on trial. That's a pretty extreme contingency
No dude, that's not the only thing that can happen and it's in no way extreme. Many people do go on trial for trivial things (because shit, in the US at least, suing people is a way of life) and your laptop or phone contains your most secret conversations and desires, being the ultimate incrimination tool, a digital fingerprint of your own mind.
And you don't have to be on any trial. You don't even have to be a suspect in an investigation. It can happen and has happened for laptops or phones to be seized for inspection during routine filters, like by the airport security.
Also, in the US you may live under the rule of the law. What about countries where oligarchies rule, countries where corruption is the norm? What about countries like Rusia, China, India or Brazil?
Just today I read about a story about this traffic cop from my own country that had the bad inspiration of doing his job by fining his own boss for ignoring a red light and exceeding the speed limits. He was later accused of all sort of bullshit and had to fight it in a court of law for 2 years before he was exonerated.
And technology evolves and our devices are gradually becoming our stored memory. What do you think these corrupt officials or organized crime syndicates could do with your own mind, 10 years from now? A lot dude ;-)
It's easy to say that now while you're not on trial. What happens if the day comes where you are on trial, for something you may or may not be guilty of and what you have on your phone could potentially incriminate you, corroborating false accusations? We see it all the time, information is translated out of context and used in ways it was never supposed to be interpreted. It happens all over the media, it happens in smear campaigns in politics, it happens any time someone wants to get ahead of you on the promotional ladder. It's too late to come back after the fact and say "Well shit, I guess I should have considered the implications of that technology being used against me when I considered it just as a convenience." Sure, it's convenient. I get that, we all do. But if you don't consider the price of that convenience up front, you can't come back and complain that it was used against you afterwards.
Also, configurable after a few hours it can ask the password anyway. A trial and being compelled to place your finger on the phone goes way beyond that. Or if they're going to beat you over the head with a metal pile regardless to unlock then the difference between a passcode or your fingerprint becomes meaningless.
That's too black and white. Is there nothing that you would give your life for? There is nothing worth dying for? Maybe you should think less of convienience and more about living a life worth living.
Not just on trial; on trial with incriminating information that's exclusively available on your iPhone and stored unencrypted without any additional passcode or password protection.
>Outside the HN bubble, this is an acceptable tradeoff.
I'm glad you have been deemed worthy enough to make that decision for the rest of the population that doesn't understand the implications of what they are getting into.
> a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.
Are you saying that random people can pick up your phone when you go to the bathroom, touch the home button 3 times, and then enter "1111" 10 times, and wipe your phone? Is there some protection against this?
There's some aphorism about "assholes" and children which my brain thinks fits here but that same brain won't recall what it is.
Anyhow, my initial thought was, perhaps not an asshole but a child? I could see a child playing with the phone and wiping it in quite short time. But other commenters pointed out it's not the default and there's cloud back-up it doesn't seem a major problem.
This is completely unrelated, but why do people say "12 months", "18 months", and "24 months" rather than 1 year, 1.5 years, and 2 years? I don't get it. I'd understand if they're younger than a year old (eg "My son is seven months old!"), but not once the age can be expressed in years.
It's a really neat question, and as a new-ish parent I've given it some thought. In fact, there's even another layer to it: shortly after birth, people tend to count in weeks rather than months.
My guess at an answer is that human beings are more comfortable thinking about numbers that are small integers (between 1 and 20 or so?), and that (roughly speaking) we often want to be able to give a bit more precision than you'd get from just "1" vs. "2".[1]
So for baby growth, parents will talk about how many days old their child is for the first week or so, and then use "weeks" for the first few months, and then use "months" until they're around 2 years old. (There's also a real sense in which the pace of child development seems to progress on a sort of log scale: change is very rapid at first, but gradually slows down. The use of different age units seems to roughly parallel that.)
As an aside, this same human preference is presumably also why the English developed different units for (say) inches, feet, and miles rather than using one of those units for everything. [Side note: is there any common English unit between yards and miles? I grew up using "blocks", which is handy, but that's pretty city-specific.]
[1] By "precision" I'm thinking more or less about "relative uncertainty". If you assume that an integer value is accurate to within +/- 0.5, then the percent uncertainty on 1 or 2 is so large as to make the information almost useless, while the implied uncertainty on a big number like 50 is probably smaller than is justified for most contexts.
Chains & rods are what first sprang to mind, but I don't think they were ever common. The definition of 'furlong' from http://physics.info/system-english/ makes it seem like it could have been in common usage:
Literally, the length of a furrow. A sensible length for
farmers that later evolved into the acre, which is discussed
later in this section. A standard furrow is 220 yards long
or ⅛ mile
Google's ngram tool makes it seem like it was never a contender with the yard, mile, or league.
Babies grow fast, so there can be a fairly large difference between twelve months and fourteen months, or fourteen months and eighteen months. You can't express those values well in decimal format, so you can't discuss milestones and development in decimal format. My experience is that people usually switch over to years once the child is older than two.
I've read the other replies and my answer is pretty different. I think this has to do with a fact that up until 24 months many toddler-targeted things are spoken of in such fashion:
- Clothes are sized in months 0-3, 3-6 etc..
- During doctor visits you discuss developmental milestones expressed in months.
Etc. You get used to it, since at that age the development of a child is extremely condensed and years simply don't provide enough resolution.
This has always been available as a setting on iOS and it is not the default. Most companies though will install a profile which enables this to a custom value of retry attempts if you add the company email (typically exchange ) account to your phone
How do you expect the phone to distinguish between "password entered 10 times incorrectly by asshole" and "password entered 10 times incorrectly by thief"?
If this is a problem with your circle of friends: find new friends, or disable this feature.
Even without TouchID, iirc on previous iPhone models entering an invalid password 10 times would trigger a wipe. So not a new threat -- just balancing maintaining the confidentiality of your data with the DOS risk.
That is no different than the current situation - enter the PIN code in wrong enough times and phone locks down. There's just an additional (print reader) barrier in the way
Please don't delude yourself into thinking this is any safer against the typical kind of smartphone theft.
Thieves will offload the phone to someone using software explicitly designed to wipe electronics to be resold.
Whether they are wiping an iphone that happens to have touch ID or not is only relevent towards the resale price once it's wiped.
Clearly Apple marketing works, as it's somehow convinced a member of (I'd hope) a more technical audience that their electronics are somehow safer against thieves.
I'm not protecting my phone, I'm protecting my data. It does a pretty good job of that. Don't think we're somehow deluded for thinking that the data is the more valuable part of the thing.
The most important distinction. Someone who wants your hardware doesn't care about the data, and will wipe the phone (although this is where iOS 7's Activation Lock comes in). And, if they want your data, they will figure that out, too. Touch ID is just a deterrent, same as a password or PIN, just to varying degrees.
Uh, no. Of course it's doesn't prevent theft. (Though the new 'wipe the phone in 10 tries' thing may deter it, separate from TouchID, I'm not sure.)
The point is that with TouchID (as opposed to no passcode) the thief will not be able to send porn to my mom or read my text messages before they wipe the phone.
And with iOS7 they're going to have a harder time wiping it because phones are now locked to your Apple account. So they need your Apple account ID and password to wipe it.
Hmm. After upgrading my ipad to iOS 7, I changed my pass code. Which I promptly forgot. I had to reset it from iTunes, on a computer which had never paired with the ipad (in fact I had to download iTunes to do this). When the ipad restarted it asked me for my Apple ID but that seemed to be for the iCloud restore. I think I could have skipped it and had a functioning ipad. But apparently not?
Apple are perfectly happy with the second hand market for iPhones.
I've just ordered a 5S. It's costing me £709. My iPhone 4S 64Gb is worth about £200 second hand. Even a new 8Gb 4S, the cheapest model available new, is £349.
Anyone interested in my second hand phone was almost certainly never going to spring for a new iPhone.
The market for second hand iPhones does next to nothing to cannibalise the market for new iPhones (which Apple cares about) and strengthens the iOS ecosystem (both by bringing in new customers who might buy apps, music and movies but also keeping customers away from competing platforms).
There's more upside than downside for Apple in second hand iPhones.
No one thinks it will deter thieves. It will make it more difficult for thieves to offload the phone (however marginally), and will give you time to use Find My iPhone, wipe it remotely, or brick it before your data gets compromised. As someone who did not use a passcode who recently had a phone stolen, I can tell that this is valuable. Also, why don't people focus on the real convenience - purchases by fingerprint scan.
s/TouchID/Face Unlock/g and back up about 2 years and you can find all the same things said about Ice Cream Sandwich.
It's a cute feature. It's not going to change the world, sell another billion phones, push other companies out of the market, or save anyone from serious attacks. It's probably a good idea to enable it anyway.
Except TouchID, from what I gather, actually works. Not "works" in the sense of keeping bad people out, but "works" in the sense that when I use it my phone unlocks. I tried face unlock briefly on the Google Nexus I've got and disabled it shortly after when I found that it was unreliable. Poor lighting, too much lighting, a bad hair day, it wasn't even at 80% for successful unlocks.
> Not "works" in the sense of keeping bad people out, but "works" in the sense that when I use it my phone unlocks.
I think that's the key distinction here. In any given authentication scheme it's important not to have false positives (incorrectly identifying a bad guy as you) or false negatives (incorrectly identifying you as a bad guy). In this case false positives break security, false negatives break usability. However, false positives won't outright stop adoption whereas false negatives will.
Fake unlock was slow and unreliable when it first came out 2 years ago but is pretty darn good nowadays, and just as fast as TouchID. No, it doesn't work in pitch dark or if you're wearing sunglasses. But I'll take "works 90% of the time" over an unlock feature that requires a hardware component that pretty much locks you into 1 form factor.
Not to mention, by the time I am looking at the phone, I want it already unlocked. Sometimes I want it unlocked in my pocket (Siri?). TouchID allows me to do that. Face unlock does not.
When it works fast, face unlock can be rather stunning. Occasionally it would catch a glimpse of my face obliquely and unlock before I even got to position it correctly.
However like others, I turned it off because the performance was highly variable, and the failure mode consists of a many-seconds wait which can be extremely infuriating (even embarrassing, as as you stare blankly at your phone for 5 seconds at a party, trying to quickly get someone's number or something).
does touchid have the disadvantage of keeping your friends and family unable to use your phone in cases of emergency? 95% of the time, my phone isnt next to adversaries, but trusted parties. a password or code is transferrable, fingerprint isnt.
edit; not 911emergency, but casual situations of full or dirty hands..
You can always just use a PIN to unlock. It's probably safe to assume that Apple has thought this through (no need to remind me of the supposed chaos break-in).
You can add ten fingers, or you can give them your code, or they can dial 911 with a fully locked phone. So no, it's slightly easier for a relative to use in an emergency than a typical locked phone.
Mine when locked has a small touch section labeled 'emergency call'. I assume it goes through to 911 (or relevant number). I'm tempted to press it but it's not an emergency.
I assumed most phones had something similar.
Edit:
I went to it. I leads to a special dialer. Instead of voicemail the button leads to a special emergency contact (or list). It only shows 4 inputs on top so I am guessing that is the limit so you can't dial anything but emergency services (that are 4 numbers or shorter). Then it goes back to my lock screen.
Depends on scenario. If you steal a phone from a bag on the subway, you'll never be able to get that photo but can probably lift the print right off the phone itself. So maybe iOS has better-yet-still-mediocre protection against snooping yet inferiorly-mediocre guards against identity theft. Yawn.
In neither case is the phone meaningfully protected against serious attack. Why must we have this argument? It's a cute feature. Use it.
> but can probably lift the print right off the phone itself
What utter unmitigated rubbish. It is extremely unlikely that even a fully qualified CSI would be able to lift a full print from a mobile phone, let alone one that that can be reliably reproduced in the manner CCC described.
On release, people were saying it was unhackable. Molds were made that faked it within a week. You really want to bet that no one will make this work? With a target this high profile?
My 5 year old son was quite literally dusting for fingerprints at the local science museum last weekend. We have some shockingly high fidelity prints of both our thumbs showing all the ridges. And all we had to do was squeeze a piece of plastic. Fingerprints have even less identifying detail than faces. You've been hoodwinked by Apple's marketing, and I'm willing to bet this isn't the first time.
Yup - remember the whole "sub dermal RF fields - so it can't be a fake finger, or your finger can't be cut off - has to have a pulse and be live", from Apple's own marketing?
Yeah, not so much. The fakes didn't even pretend to be live tissue.
It's amazing rant with any Apple story, there you are with an 'expert' opinion followed by a thinly veiled troll. I want to see your 5 year old son lift near perfect prints from a typical iPhone, no deliberate placing of prints mind you. I then want to see you recreate the CCC "hack" with the correct print. It's time to put up or shut up.
but can probably lift the print right off the phone itself
That doesn't seem to be the case to my knowledge. The evidence from the successful attack is that you need an excellent-quality print from one of the specific fingers that has been programmed into the phone. Some phones probably have that on them, but it appears likely that many do not.
The "sandbox" being referred to is the "Secure Enclave", which apparently is what ARM calls "TrustZone": http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-... The data isn't accessible to even the OS. So, in theory at least, jailbreaking doesn't make it any more accessible.
edit: build an app, get your colleague, significant other etc touch it on any touchscreen phone or get on camera and create a 3d printed finger. 3d printing vs touchid...maybe
I'm pretty sure the GP was talking about the likelihood of a given phone having an appropriate-quality print [1], which does seem low.
But putting that aside, your hypothetical app would -- using the demonstrated method -- 'lift' that excellent quality print, scan it at 2400 dpi, (clean up said print), print it on a transparency at 1200 dpi, mask it onto photosensitive PCB, develop/etch/clean the PCB, spray graphite and apply wood glue to the mold.
It might make for a slightly-more-plausible-than-normal gadget sequence in a Mission Impossible movie, but it's not much of a concern for the target market. [2]
[1] Despite what decades of shows like CSI might lead us to believe, this is not a simple or error-free process. And each mistake irrecoverably destroys the print.
[2] Most of that market doesn't even use a passcode today and many that do are still using surprisingly bad PINs (birthdays/anniversaries/1234)
I find it amazing that when faced with a general question about a "security" feature the median internet tech nerd responds with an attitude of absolute paranoia (c.f. 4096 bit RSA keys, multi-word pass phrase choices, ssh key forwarding pedantry, general NSA tinfoil hatism....)
Except when confronted with an Apple product. Then it's all "Nah bro, relax. No way could you lift a fingerprint from a glossy phone screen". :)
I'll say it for the third time. It's cute feature (like face unlock was before it). Use it and enjoy it. If you honestly think you're buying a serious security mechanism you're simply wrong.
You see two different classes of responses because there's two different use cases.
There's security that geeks advocate for ourselves and our own implementations (often things we only have to set up and maintain infrequently) and then there's security that normals actually use (often things they have to authenticate with several times a day).
And I must have missed it, if anyone's been arguing this is a serious security mechanism. As far as I've seen, it's been lauded as (not much) better than a passcode, but, primarily, convenient enough to get people to use it instead of nothing, bringing up the relative security of a still-fairly-insecure bunch.
And you may want to re-read the discussion over the faked-print attacks. It isn't about (im)possibility. It's about the time, expertise and equipment involved and the likelihood of success being too expensive to be worthwhile for gaining access to most phones. [1]
And if we're wearing our "serious" security hats, I still don't see any reason to worry too much about print faking, as its core assumption is a skilled attacker who has unfettered physical access to our device, unbeknownst to us and beyond our control. And at that point, the game is already over.
[1] CCC themselves, with ideal source prints, had to significantly complicate their process to generate fakes that worked with a suitable consistency. So even if you think suitable source prints grow on trees, the point of significant skill, equipment, time and resources remains.
It's not at all clear that the absolute paranoiacs and the people saying that it's unlikely that any but a vanishingly small number of regular people will ever have Touch ID hacked are from the same set.
When you say it's not "a serious security mechanism", it sounds as if that's defined in some absolute terms. But if the effort to hack it is hundreds of times more difficult than the possible payoff from hacking it (which appears to be the case for nearly anybody but James Bond), then it acts as a serious security mechanism for that user's context. Literally nobody is going to make a mold of my finger to unlock my iPhone — they'd have to be absolutely insane to think that was worthwhile. So it's a serious security mechanism for me. Would it be a serious security mechanism to cover nuclear launch codes? Of course not.
> When you say it's not "a serious security mechanism", it sounds as if that's defined in some absolute terms.
You have to understand that the practice of cryptography has always had a military basis; the commercial/private use is ancillary.
So, what's "a serious security mechanism?" Presume you're a military commander during active war, whose battle plans are intercepted by an opposing nation. What is the likelihood, given the opposing nation believes your plan will lead to their complete destruction, that they'll be able to break the security in time to execute a counter-operation? A serious security mechanism is anything that reduces that likelihood.
Okay, but if you steal a phone on the subway, why would you even bother unlocking it? Just sell it on ebay as a locked phone. Some bored teenagers will buy them up, unlock them, wipe them and then resell them for a few dollars more.
If Find My iPhone is on, that locked phone is essentially a brick, it cannot be activated even if completely wiped, since its still associated with your Apple ID on the server side.
You need to be able to sign in with the Apple ID to remove the association.
I've already done that service for another, using some auto-unlocking tools. Takes all but 5 seconds, including USB negotiation. And it even gets past sim-locks.
Ehh, I haven't crunched the numbers, but that's not necessarily true. Instead of taking a still picture, use video to take a few images and generate a rough 3d image. While I don't think the initial face recognition on Android had it, I believe they (or someone else) did later.
I have no idea how finger print vs facial recognition compare in accuracy, but a decently implemented facial recognition system shouldn't be compromised by a still image.
I don't think you can call something a cute feature when it's turned on on most phones and is used to unlock them. I would guess that by far the majority of iPhone 5S's have TouchID enabled. I wouldn't be surprised if it's more than 90%. The feature is just that well executed.
I would be very surprised if it is that high now even with the early adopter skew. Reports say that last year it was around a quarter of smartphone users use passcode locks on their work phone (http://www.welivesecurity.com/2012/02/28/sizing-up-the-byod-...). I imagine 5S rates are higher than that, but 90% would be insanely impressive. When it comes to computer security, as usual, people's apathy is the biggest problem.
I'm sure opt-in/opt-out is a major factor, too. I don't have a 5S, but I'm pretty sure it's opt-out. I think even after upgrading to iOS7 I had to opt-in again to turn on the numerical pass code.
Certain Japanese cigarette vending machines had photographic age detection algorithms. Japanese children used photos of Bruce Willis to buy cigarettes. Getting a photo of your face would be much simpler than getting your prints.
Acquiring a high-DPI scan of a fingerprint from someone's phone, printing it to a sheet of plastic with a high-DPI laser printer, then making a copy of the print out of liquid latex doesn't sound easy unless you're in the business of pentesting. Taking a picture of someone (or lifting it from a social network) to access their device does sound relatively easy.
If I was the kind of person who was worried about someone accessing the contents of my phone, I'd simply turn off touch ID and use a long password (or spend less money on a phone that didn't have a feature I wouldn't use).
I've gone down the route of using both a long password and touch ID simply because touch ID works so reliably - I've never had to enter my password. That way someone either needs my long password or a physical copy of my fingerprint to access my device. I'd say that's much better than the 4 digit numerical code I relied on previously - which had been seen by friends and family.
See the problem here is that a compromised fingerprint betrays more resources than the system it was meant to protect.
Your iPhone has a picture of your fingerprint inside of it now. It's just a picture, and it's likely a very good picture at that.
What happens when I swipe your phone for a second or two, plug it into my machine, and download the high-resolution picture of your fingerprint?
Do you use a fingerprint lock at home? If so, I've just broken into your home.
Do you use a fingerprint lock for the datacenter you administer? I've just gained access.
Do you own a registered gun? How'd you like me to commit a murder with your fingerprint on it?
This kind of attack is the missing piece of my argument. When someone figures out how to do this, these issues are going to become very important very quickly.
Let's suppose that Apple introduces a feature that syncs your fingerprint across many devices. How convenient, right? Let's say that means keeping all of your fingerprints on Apple servers. Let's now suppose that, like a credit card database, an attacker is able to obtain a leaked copy of the fingerprint database of every iPhone user. The recent touchid hack shows that fingerprints can be spoofed for high-end scanners. What then?
Sure, this scenario is very unlikely. I'm totally in slippery-slope land here.
But when we choose to turn up the dial on convenience to sacrifice more security, we must be prudent, carefully considering the consequences of our intentional ignorance.
TouchID has some tangible implications for markets where some security is needed and convenience is already compromised. For example, my corporate policy disallows pattern lock and requires I use a pin. This is majorly annoying and is enough for me to consider a different device.
The big enterprise market is an awesome place to get a foothold in - they are not really price-sensitive and hate change. Not that Apple has any problems in that segment, but extra lock-in doesn't hurt.
Where this becomes semi-dangerous is in assuming that now your phone is ironclad and you can store whatever on it totally unprotected. The best route to safety is to make informed decisions based on your own risk-tolerance and not be a lemming.
People keep making this analogy but Face Unlock is not being promoted as ever being used for anything but unlocking the phone. Touch ID is the foundation of an entire mobile identity/payment scheme.
An ideology of "Its good enough to thwart 99.9% of the population, therefore its good enough for me." is a very harmful ideology to have when it comes to security because you do nothing to deter mass adoption of the insecure technology.
While an individual person might not be at that great of risk because the amount of crackers willing to exploit touchID is limited to a minute demographic of people, the real harm comes when many iphone owners who share your ideology start using touchID instead of the more secure locking features their phones provide just because its more convenient.
Consider what happens when there are 100,000,000 million insecure phones out in the world. To a motivated cracker/spy/terrorist this is a huge ocean of potential suckers/victims vulnerable to exploitation. While most of these people aren't worth targeting, 1000-10,000 people might be.
This is why rejecting broken security technology is a cause everybody should rally behind. Even if you are never a victim of a black hat, you may very well suffer indirect consequences from the exploitation of somebody else.
Does this go for the locks on your front door as well? As in "nobody should have front door locks that aren't 100% secure even against eg. terrorists"?
If such a lock existed (it doesn't, AFAIK), I would certainly want it on my door. I would still seriously consider it even if it was dramatically more expensive than a regular lock. Just because there are trade offs in security doesn't mean that anyone should be content with the state of the art and not push for improvements, or push against regressions. I'm not sure myself, but people see TouchID as a regression.
This is a good point. But imagine this attitude is adopted and becomes commonplace. People WILL start becoming lax, and people who should not be storing critical information on their phones, or who don't realize that its critical ARE going to lose their phones and they ARE going to get cracked.
I guess the question at that point is, is a 4-digit code better or worse? I'm not fielding that one...
Give me a real world scenario where this distinction matters and affects real outcomes. For real users, not people who are trying to protect themselves from the CIA.
If you use that fingerprint code, any thief that steals your phone and wants your data will have it. It offers no protection at all.
Now, if you arguee that no thief will ever want your data (and you'd be probably right), it doesn't matter if you lock your phone or not, and it won't matter how you do that. In this case, locking schemes are completely useless.
(Now, I'd be content with a fingerprint reader that recognizes a finger - any finger - and unlocks the phone. It's enough protection if my pocket can't defeat it. Unlocking only by specific fingerprints looks like a pain, nobody else will be able to unlock my phone? Thanks, but I'll pass that.)
I'm not so sure. How many people are motivated to dupe your fingerprints to get into your iPhone? How many of those people could conceivably get into your iPhone through other ways?
Fingerprints are a nice way to keep almost everyone out of your device. And for the rest, well, I really doubt some other locking mechanism would've kept them out.
What are people going to do when, in the all-too-near future, criminals begin sharing and selling databases of stolen high resolution finger prints?
One theft isn't practical? How about a million? Driven by a never-ending pursuit of monetary gain via crime; with criminals always happy to conquer the latest technology wave. There's absolutely no reason to think that criminals won't amass substantial finger print records just like they do any other intimate information they can get their hands on, from SS numbers to passwords. It's not a question of if, but when this starts becoming common.
All it requires is linking finger prints to something valuable at a mass market scale, and that will drive an unlimited criminal demand for finger prints.
It's not about the iPhone. It's about a consumer shift to finger prints as a primary security feature, and whether that is sane (with the iPhone potentially setting the trend given its cultural status).
OK, you are a criminal and got 1000 000 fingerprints.
You can start collecting them right now, on every surface you have access too.
Then what? You will print them all using whatever technology required to fool fingerprint scanner and try one by one? Wouldn't it be just easier to try and lift one off the device itself?
> It's about a consumer shift to finger prints as a primary
> security feature
No. It's about shift from zero security (no passcode lock) to some security (fingerprint). Yes it can be fooled but it is effective enough to stop casual attacks. Just like lock on the most doors — no problem for a determined robber but good enough protection from the opportunistic thief.
In the not so distant future, collecting fingerprints will be just a matter of writting malware, and uploading it. No need for labor intensive procedures such as collecting them from real stuff.
Now, in that world, what will criminals use the fake fingerprints for?
Based on a partial print from the screen or body of the phone? (It wouldn't work every time, but it might be feasible often enough to be worth trying.)
I'm not sure I agree. How exactly is anyone (other than the government) supposed to be able to get all these fingerprints? Are you suggesting people are just going to go around and start dusting for prints anywhere they can or what? Maybe fingerprint phishing? (That doesn't even make sense unless we start transmitting actual fingerprint data to servers instead of mostly using it to protect password managers client-side.) The reason identity thieves can get their hands on social security numbers and passwords is because people have to share that information deliberately a lot more often. If you breach the right database, maybe you'll score the jackpot and get the financial details of a few million people, but what database can you breach to get peoples' fingerprints in a format that allows you to create fake fingers to bypass biometrics? Who's going to be keeping high-res copies of fingerprints around, let alone in enough quantity where it might actually pose a risk to a decent proportion of the population?
You handwave around the fact that obtaining high-res photos of the finger (i.e., lab setting) is not exactly easy. How would you propose this occurs? It's not like this is some widely-licensed implementation - the devices are highly personal/coveted and don't store the image in-device (just hashed representation that can't recreate the print).
The CCC could have used a stray fingerprint (say on a glass or the phone itself) but didn't. I suspect they would have demo'd that if they could have made it work reliably or even at all.
Your slippery slope argument seems faith-based and doesn't answer the big questions I posed above. I don't see Samsung or Moto going fingerprints anytime soon - and if they do, Apple is there with patented tech waiting to sue them if it's at all similar. Widely varying implementations of the same thing with possibly different exploit angles - does that seem like a security epidemic to you?
What I think he is saying is that because it is now on iPhone, more devices/services/whatever may be likely to use finger prints for auth. This is dangerous because you can't change your fingerprint in the unlikely case someone dupes your print. If more and more things rely on finger prints, the value of duping goes up, right? What happens when your prints are duped once?
(1) If someone has my fingerprints they still need my phone to do anything.
(2) Even with my phone there's a good chance it's worthless unless they also have my pin.
(3) Stealing my phone has also become worth much less unless you have my prints and the followthrough to make fake ones and again they'll want my pin in most cases because you only get 5 failed attempts with your fake prints.
(4) All of that takes time, during which I may be able to remote wipe my phone, making the whole exercise worth even less. And it takes money, again lowering potential returns.
It's easy to imagine (numbers pulled out of ass) that a thief could get a few hundred bucks for a 5C (no touch id) but say half that for the more expensive 5S. Maybe that won't hold up for various reasons (hey thieves will work hard to make those stolen 5s's worth more) but the principle behind multi-factor is sound.
A default Reprap won't be able to reproduce a fingerprint, but all it would take is increasing the reduction rate of the motors, using a smaller hole at the hot end, and a material that flows better (or increasing the temperature).
It would probably take a few tries, but seems well within a person-sized budget.
This is right. Fingerprint scanning prevents casual snooping in the same way that a PIN or face unlock does. It's lightweight authentication. It can't be used as a hard security feature (e.g. as input to a PBKDF) so it can't provide security against hard attacks like stealing the device and reading the flash.
It's cute. Honestly I don't see what this adds over face unlock which is reasonably mature now and equally yawnworthy IMHO.
I haven't used face unlock but I am going to guess TouchID is much faster and easier. It unlocks almost instantly, you don't have to be in view of the camera, and it doesn't require any extra effort since your finger is already on the home button to wake up the phone.
Face unlock is very fast - generally I turn device towards me to start using it and face unlock has unlocked it before I even realise it was locked (less than half a second).
When it fails to recognise you, you can enter a pin/password/pattern. There is a menu option to 'Improve Matches' so it can pick up whatever is different this time. Every release has improved dramatically. After my most recent Android reinstall I recall only ever improving matches once.
It doesn't work in low light which fingerprints will.
If it doesn't work first time with sunglasses then you use the "Improve Matching" to take a pic of you wearing sunglasses. They don't want identical pics of you - they want pics of how you vary. (Same story with facial hair etc)
Identification via fingerprints is fine, it's the authorization to do something that can be problematic. So, unlocking your phone, not too bad, accessing your bank records, not so good.
If the fingerprint is the identification that is used to then trigger decryption of securely stored data, it's a lot less secure of a mechanism than a fingerprint AND a password.
There was a good recent discussion that fingerprints also do not enjoy the same protection as passwords, as the fingerprint is not a "content of your mind". Here's the wired article on this: http://www.wired.com/opinion/2013/09/the-unexpected-result-o...
It was also discussed at length on HN, but I can't find the thread.
Fingerprint authentication is just like a door lock on your house. It's not going to stop a determined criminal (because they can just smash your window), but it's a pretty good way to stop casual attempts at intrusion.
I agree that the touchID shouldn't be used for authentication with everything and I think Apple agrees, which is why they haven't opened it up to 3rd party developers.
I'm sure 5s's are fetching at least $400 on the conservative side. If all I have to do is spend like $5 and follow a how-to on a website, I think a lot of people would be willing to make the investment.
If your objective is to sell a stolen iPhone then you still have to know the owners Apple ID and password due to activation lock. Being able to bypass Touch ID isn't going to help you.
Correct me if I'm wrong, but I'm pretty sure Apple's new iOS7 activation lock has not been defeated yet.
Keep in mind that if these criminals can't figure it out by googling it, they will give up and move on. The typical phone thief isn't a security expert with the knowledge to invent a previously unknown exploit.
The author is a maintainer of eCryptFS. For those not familiar with it, eCryptFS is an encrypted filesystem used by several Linux distributions (including Ubuntu) to protect your home directory and/or the entire disk. It serves a similar purpose to TrueCrypt, BitLocker, FileVault, etc.
For the purpose of a full-disk encryption software, fingerprints are many times weaker than a good password. The purpose of such software is to prevent a thief, the cops, the NSA, or anyone else who takes possession of your computer, from viewing the contents of your hard drive. A fingerprint won't protect you from the cops, since your prints are already all over the place and they can probably force you to provide a fresh copy anyway. In that case, fingerprint logins would only give the user an illusion of security. So it's understandable that the author doesn't want to enable fingerprint logins to his software.
For the purpose unlocking a phone, on the other hand, a fingerprint is probably good enough. The contents of the phone usually aren't encrypted, so a determined attacker will just turn the phone off, pull out the SD card and/or the internal Flash memory, and read everything off of it. Or if you're NSA, forget the phone and get the data straight from Apple. TouchID is not for NSA-proofing your phone, it's for deterring common thieves and pranksters.
tl;dr: I agree with the author that fingerprints are not a good fit for full-disk encryption software. But I don't agree that fingerprints are completely useless. It all depends on the type of attack you're trying to defend against.
I'm pretty sure that iPhones have encrypted their data since the 3GS. That's how they "remote wipe" it. They send a message to the phone to delete the encryption key.
AFAIK the encryption key is stored in plaintext unless you also set a passcode (many people don't), and even if you set a passcode, most of the time it's just a short number that would be trivial to brute-force in an offline attack.
Of course it's also possible to use eCryptFS with a four-digit passcode, but it's strongly recommended against. The main difference between FBI-proof encryption and pickpocket-proof encryption is not in the algorithms used, but in the typical use case of each.
Yeah, I was specifically addressing "The contents of the phone usually aren't encrypted". If you have a passcode (which is required for TouchID) then your iPhone is encrypted.
You can definitely brute force it. I saw an article somewhere (probably here on HN) addressing the fact. I can't find it, but if I remember correctly, it said something about Apple or an associated company quietly offering forensic help to police on bypassing the password. I think it implied they were using a ramdisk to brute force the encryption.
Not essential to the main thesis of the article, but still: "But let's just say you're okay with Apple sharing your fingerprints with the NSA, as I've already told you, they're not private at all."
Ok, they are not private but I'd still not willingly put them on anything controlled by an US corporation. Govt sending their agents to collect my fingerprints from glasses? Not feasible, too costly. Agency asking Apple to fetch the fingerprints willingly provided by the population "just in case"? Maybe not today and not tomorrow but in a few years? I wouldn't bet on them not doing it. And once there you're just one false positive away from some serious shit happening to you.
As others have joked: Imagine how much people would freak out if Apple devices had a microphone or a camera capable of recording you surreptitiously!
If you're worried that Apple will roll over for the NSA, and that the NSA will, at some point, be out to get you, the quantity of information they could gather through backdoors on your phone is so astounding that it's hard to understand why hashed fingerprint feature analysis would be the last straw.
To be clear - it's not about the scenario where NSA is already out to get me. Obviously in this case the cost of getting my fingerprints the traditional way doesn't matter anymore. It's the scenario in which NSA gets interested in me because a) I made it easy for them to mass-harvest my fingerprints and b) they happen to get a false match on a terrorists' ashtray or whatever. I'm not convinced that the (hypothetically mass-harvested) material from the camera and microphone has comparable potential for such a false match.
A lot of people have already given their fingerprints to the US Govt - children whose parents enrolled them in "kid safety" programs, teachers, anyone that ever applied for a position of public trust or any kind of background search, people that have applied for concealed carry permits...
The US Govt probably has 3-4 sets of my fingerprints in various data stores across several agencies...and I'm no one special.
My security keypad will actually be a fingerprint scanner. Anyone who watches someone press a sequence of buttons or dusts the pad for fingerprints then subsequently tries to enter by repeating that sequence will trigger the alarm system.
Why not have the sequence remain the password, but also scan fingerprints? If you have the wrong fingerprints (username), the right password still won't work.
If we assume the attacker is going to (be capable/mindful enough to) dust for fingerprints, they're going to get a very small potential keyspace for a passcode.
"fingerprint or pin" means that when the fingerprint scanner doesn't work, you can use the pin to unlock your phone. "fingerprint and pin" means that when the scanner stops working, you are locked out. Apple has obviously decided this is more of a risk/inconvenience than the extra security justifies.
I keep forgetting that this discussion is iPhone-focused. At this point, I'm thinking about other systems too, such as ATM number pads or entry pads for security gate/secure door systems. What if each button on the ATM was also a very fast fingerprint sensor? (What if the ATM had a cleaning device built in?)
"Once your fingerprint is compromised how do you change it?"
This is the central question for all biometrics for me and I believe one of the hardest problems to solve. There are many people who believe they are solving this by using ever more intricate biometric identifiers, thus increasing the bar to reproduce them beyond what they believe currently feasible. But I'm yet to see that central question addressed.
What happens when you lose control of a biometric key?
> they'd have a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.
I don't use it, but it seems there's a fallback password after __ failed attemps.
I don't mean to say "what happens if you lose a finger" rather, what happens when your biometric key has been compromised. You can only move on to so many unique body parts before you're out of key changes.
A very good point. One of the most important things about strong authentication schemes is the revocation protocol. When things go bad, how easy and secure is the process of changing the auth mechanism? The trouble with fingerprints is that you're stuck with them for life, even if somebody else <pun> gets their hands on them </pun>.
Wouldn't the revocation process be very simple? If some one has acquired your prints, just stop using touch ID? I mean, there are still 2 other authentication options on the iPhone.
I'll be interested when someone breaks Touch ID in a real life theft. This is not a simple process, it's not clear that a determined thief is even likely to find a good enough print in a real life case, and you can't mess around because after 5 failed attempts it will prompt for a password.
Touch ID will likely cover the vast majority of security use cases for iPhone owners.
I saw the CCC video and I think you are right, a suitable print being found on the phone is a bit slim, although not impossible.
However, I think the point of the article is that you can change a compromised password, you can't change a compromised fingerprint. As is mentioned, there are plenty of databases with fingerprint information. Also, for the crowd that is paranoid about government accessing their data, an authority might have an easier time getting into a device when they already have your fingerprint as opposed to figuring out your passwords.
A phone screen unlock is not like passwords as used elsewhere. It has to be short; otherwise it is impractical. We know that short passwords don't have much entropy. We also know that we can examine the grease on the screen and make a good guess as to what the password is.
If we consider phone unlocking mechanisms to be in a different "not fully secure, but at least practical" category, then I think it's perfectly acceptable to use a fingerprint as an unlock.
Mitigation is possible too. For example, the phone could lock out and require a proper password if it detects tampering (which, AIUI from other comments, the iPhone does).
I've been using TouchID for the past few days, although I'm going to disable it before international travel. It works amazingly well. It caused me to set my unlock timeout to 1min vs. 5min.
The biggest annoyance is I keep holding my thumb on the home button on my iPad, then get disappointed when I realize it won't work. I've probably done that 20 times so far.
I really wish I could do "per context security" -- requiring multiple discrete factors based on action and threat. That would be a huge innovation for the iPhone, which would sell the next billion phones, if integrated with Internet services and apps. In my house, maybe not require anything, or just a thumbprint. In my car, same. In a coffeeshop, normal passcode after a few minutes, unless the phone has just accelerated highly, in which case a much higher passcode. At Customs in China, a passphrase held out of country. etc.
A bigger deal than Siri, if slightly less of a deal than Retina, and something a team of 2-5 people could implement before iOS 8. I'd even be willing to work at Apple to do it.
I have my password set to wipe my iphone after only 3 incorrect tries but I disagree about touchID being more convenient. You can be compelled to give LEOs access to your device if it only requires your fingerprint. I can conveniently forget my PIN if necessary.
Any good thief is going to swipe a phone and worry more about getting away and less about unlocking it which they will do later. Furthermore, unless you're jailbroken and have changed your default sudo credentials then your data isn't all that secure anyway against someone with a computer and rudimentary software. All of which can be done while the phone is off or in an area with no service. That would also serve to defeat find my iphone as well.
Above is by a "maintainer of eCryptfs" noting that we would otherwise leave our passwords on everything we touch and without option when that password is compromised.
I wonder though, is there a biometric facet that can surmount the bar of unreplicable uniqueness? Contact lenses can fool iris scanners. Perhaps we should make a dental impression sensor?
Unique? Maybe. Unreplicable? I can't imagine so, we're all just a bunch of molecules.
At some point in the perhaps-not-too-distant future, we will likely have very sophisticated brain-scanning technologies, and combined with advances against biometric methods, basically any form of authentication will be useless.
I have absolutely no idea how to get around this, and can only hope that our society has advanced enough by that point that we don't need to keep any secrets at all. Not much chance of that really, IMHO...
That's an rather interesting idea. If you could get Cory Doctorow to write "The Day the Password Died" from your prompt, I'd be very happy.
Synopsis: an evil government steals the private thoughts and passwords of its citizens, most of whom are unaware of the threat. A few paranoid individuals come up with increasingly bizarre biometric passwords, but the government has secretly approved unauthorized (and speedy) cloning to bypass these protections.
Finally, the freedom fighters use the government's own technology against it, replicating the president's bio-metrics in order to shutdown and disclose the program.
That would be pretty cool. I can't imagine that nobody else has thought of this idea before, though...
What really scares me, though, is when we get to the point of not just being able to read thoughts, but being able to write them. How would you ever know that your memories and emotions have not been tampered with? As far as you know, you've always loved your corporate overlords, and would never do anything to work against them...
"without option when that password is compromised."
I don't understand why people keep repeating this. As long as fingerprints are an optional authentication mechanism, you absolutely have an option if your fingerprint is compromised: switch to a passcode.
Alternatively, fingerprints should be used as 2FA. They're something you have. Supplement it with something you know (or that your encrypted password store knows) and you're golden.
Not quite right. Finger prints are considered "something you are". Always with you, can be impersonated, but can't be changed. Something you have have would be a key or a token, that can be changed if compromised.
Agree with the rest of your comment. Cocktail "something you are" with "something you know" and "something you have" for potent results.
And the police have them. And the US government has (flew there twice) them. Isn't the "something you have" in 2FA ideally meant to be something that only you have?
One issue here is that there is noway to give out unique username/password pairs to each service.
If apple uses this, and google follows, and facebook, twitter, linkedin, my paypal and CoolAppForYorFone(TM) and everything else, then if CoolAppForYourFone(TM) scans my fingerprints, then they have access to everything on all other accounts which use this info.
Once it becomes common, then on street corners, salespeople will ask your opinion on things, "Hi! We're doing a survey this week for Vodaphone - just a quick question - do you think people with android phones or iPhones have sex more often?" and ask you to give a fingerprint to sign it. And most people will.
Or "Hi! We're giving away 20 euros free credit today at PhonesForYou! Just place your finger on the scanner here, and tell us your phone number and we'll send it through!"
We're already trackable enough, why make it easier for scammers with scanners?
Fundamentally, a username and password are parts of the same thing - a collection of information (often a string of text) that you need to get access to something. The 'username' is usually just the part of that isn't necessarily hidden.
Part of the problem is that Apple's iOS has no username, just a password. Thus, one of the differences with a fingerprint 'password' that I haven't seen much discussed is that it would make him harder to share that tablet with his wife, since they can share one four-digit passcode, but not (as far as I know) two different fingerprints. The fingerprint makes it much harder for the popular family use cases between letting one person in and letting everyone in.
This might be true for things that truly need to be secure (bank vaults, super secret government facilities, etc.). Clearly in those cases just relying on a fingerprint that could be compromised by motivated attackers is not enough. But personally (and I imagine this is true for many users) I'm not trying to secure my iPhone from highly motivated and skilled attackers. Those individuals will probably be able to access the data on my iPhone fingerprint or not. Given that, it just is a convenience feature, allowing me to secure my phone from the everyday person trying to pry into my phone and give me access much easier and quicker.
I don't lock my phone to keep out the NSA or the government. I suppose those organizations would be able to easily crack in regardless. I lock my phone so my child can't pick it up and mess things up. Or to hopefully deter potential robbery. Thus, I think TouchID is great even though I do agree with the OP. If I had something like my primary computer that I needed to keep very secure, I'd shy away from using my fingerprint.
I can't help but think that there's a whole segment of HN readers who are thinking as single men. In the context of a family with kids this is a very different thing. My kids have access to my phone and my wife's --which are not locked in any way. I have access to my kid's iphones, ipods and ipads. Having devices locked to fingerprints in any way would be a nightmare. If you have really young kids, its a logistical mess.
I can see it working just fine from the context of a single and otherwise unattached individual. That'd be OK.
...until you have an accident and someone needs to figure out who to contact...but they can't get into your phone.
...or, until you lose your phone and whoever finds it actually wants to figure out who you are in order to return it.
...or any number of other scenarios where you actually want other people to access the device.
There's also the angle of trust. What's your significant other going to think when he/she can't get into your phone without your fingerprint?
Again, I can see it being a really convenient tool for some people. Not sure it is a universally useful thing.
Funny, I have teen/pre-teen children and my reaction is the exact opposite.
I, mostly unsuccessfully, ban the children from having passcodes on their devices so that I can do backups, act as communal spy for various parents etc. They, on the other hand, mostly add passcodes (then change them regularly) so that their siblings don't go onto their phones and change the wallpaper to amusing photos, delete Minecraft etc.
Having Touch ID whereby only they, me and their mother can access their devices is manna. And it makes confiscation substantially more meaningful, assuming you can switch individual prints on and off.
I can't wait, although, as I'm too cheap to ever buy them the latest gear, it'll be a couple of years before this particular paradise occurs.
Perhaps I am missing something. Are you saying TouchID aalows you to register multiple fingerprints for access to a device?
With regards to the kids ignoring your requirement to not have passcodes. Well, what can I say, my kids do as i say, perhaps a different approach is in order? For example, my kids know they should not play any computer games during the week. On Saturdays they can play as much as they want. During the week it's academics, mindstorms and good old-fashion go outside and get dirty play. I've never had to enforce the rule. In general terms i think kids respond well to rules and schedules so long as these things are fairly and consistently applied.
> I could see some value, perhaps, in a tablet that I share with my wife, where each of us have our own accounts, with independent configurations, apps, and settings. We could each conveniently identify ourselves by our fingerprint. But biometrics cannot, and absolutely must not, be used to authenticate an identity.
I am not seeing the distinction. What exactly is the difference between an "identification" and an "authenticated identification"? With the family tablet, the fingerprint is still acting exactly like a password, and the reason the author is okay with it is because it's a password that's not protecting anything terribly important. Why not just have profiles that are selectable without any authentication? That would probably also work for a family tablet, but the fingerprint might be preferable to protect some info from your family members (even completely innocent things like shopping for gifts). Of course your family members could easily lift your fingerprint and bypass the biometrics, but it doesn't matter.
Of course, there are civil liberties at issue as well, since Apple could
potentially share the information collected with governments.
http://truthseekerdaily.com/2013/09/exclusive-apple-admits-iphone-5s-fingerprint-database-to-be-shared-with-nsa/
This link has many of the hallmarks of bullshit, but it still spooks me.
Frankly I just ignore the bullshit-scented links and don't even bother getting spooked; usually if it's real, it will show up again in a less-suspicious place, and I'll pay attention to it then.
It may be an imperfect filter, but just you can't waste your time giving credence to an article on "www.gunsgunsguns.com" about why civilians need automatic weapons, or every other crackpot link.
But wait, the alternative is 4-digit PIN. How exactly is 4-digit password with only digits secure?
How easy is it to see it over the shoulder?
The answer is: pretty easy.
Both phone locking technologies are not about securely protecting data, they are about preventing the phone from casual looks when you are away for 5 minutes and left your phone. And TouchID does a better job for this case.
Most of the comments seem to assume TouchID as implemented today will remain the same in future. Here are a few scenarios that I imagine it may evolve to:
1) Unlock using multiple fingers;
2) Unlock using the same finger repeatedly, but with different pauses between taps, e.g. two short taps, followed by one long tap;
3) Unlock using finger gesture, for example press your thumb, then move clockwise 45 degree;
4) Unlock using a single finger, the iPhone sends a passcode to your iWatch with which you can use to enter.
Such uses of fingerprint would be much more secured, yet still relatively convenient. Losing your fingerprints wouldn't really be a big problem. You only need to change the sequence.
To further the idea, iOS may offer multiple accounts. Family members may have access to a "guest" section, whereas the phone owner has full access. Fingerprints can be used to unlock the appropriate accounts.
Realistically 1) most people don't use a PIN code, 2) those that do use their birthday MMDD or DDMM.
If you think someone where you work/live might have to tools to lift your fingerprint from a beer bottle or spacebar, you probably have more serious problems than the contents of your iPhone.
I'm sure security nuts will put their iPhone in a shielded box with a coded lock on it, in addition to using (and painfully entering on each unlock) a high entropy passphrase that's as long as possible.
More power to them.
TouchID is a good enough to prevent my daughters from seeing the naughty texts I send to my wife (none of your business either), and that's more or less the level of security TouchID is designed for.
I don't think anyone cares what level of security you are personally comfortable with. If you are fine with its weaknesses, go for it.
However, those of us that set security on company devices are very interested in the quality of different methods, and are glad to as many learned opinions on the matter as possible.
A fingerprint is a perfectly acceptable means of authentication for low security needs (read: most needs). For higher security it serves well as one of multiple authentication layers, e.g. a fingerprint AND a pin code.
Well, I've never heard anywhere that Apple was sharing the fingerprints with the NSA. As far as I know, nobody said that... It's just the obvious* default assumption.
And the matter of default assumptions is that you need evidence that they are false. Apple denying it is no evidence. But yeah, the point about the microphone and camera stands.
* And it is obvious, no point is arguing against that. When everybody makes the same assumptin the first time they have a new piece of data, the assumption is obvious.
The OP linked to an article which said that, which sourced from the article referenced by the link to the rebuttal I posted.
"And it is obvious, no point is arguing against that."
No, it's really not obvious. Apple made very specific claims about the functionality of their product. Unless you can prove those claims wrong, you're just spreading a conspiracy theory.
This is a great point, but I'd love to see a passcode system that isn't vulnarable.
The "swipe puzzle" things (I'm not sure what to call them.)? I've been able to see people enter them once and unlock their phone.
Passcodes? Even if people used secure ones, with a combo of looking while they're entering it and the smudges it leaves, it's not that hard to get.
Those are the 2 most frequent models of password input I've seen, both flawed. Any ideas for a better one?
Usernames are how we indicate an identity to a computer. (Note "an" identity; identities do not one-to-one map to humans.) Identity is what we are trying to establish in the first place; if we simply knew you were authorized to use an identity we wouldn't need auth in the first place. Having a matching fingerprint is evidence that an authorized user is authorized to use that identity. Knowing a username is not. They are not the same thing. Fingerprints are not perfect auth, but they are auth of a sort; usernames aren't auth at all.
There is a reason I chose the word "evidence" and not the word "proof". Yes, it is evidence. No, it is not proof.
Further note that possession of a password ("something you know") is also merely evidence, not proof. Also, "something you have" is not proof either; having a token is merely evidence, not proof. We have no method of proof. If that is the standard you are looking for, then I have some bad news: It is impossible to meet that standard. If we did have a direct method of proof-of-identity, we would not have to talk about evidence. We would simply use the proof.
Yes, it is possible to fool even a three-factor authentication system, with enough work. That's why its important to understand that security is not about absolutes; it's about raising the cost of penetrating the security above the value of the thing being protected. Which is also why fingerprint protection is just fine for rather a lot of iPhone users; what's the payback for cracking a fingerprint scanner, just to get access to a metaphorical Grandma's phone? If you are concerned that the value of what is on your phone exceeds the costs of penetrating the fingerprint scanner, then use more authentication. It's about costs & benefits, not absolutes.
Would someone care to explain how the observation that fingerprints are indeed a form of auth, but usernames are not (often they are fully, intentionally public information!) is false, and therefore the entire premise of the post's title is incorrect, with something other than the downvote button? I'd really like to hear the explanation of how that's not true.
>> what's the payback for cracking a fingerprint scanner, just to get access to a metaphorical Grandma's phone?
Well, if said Grandma is rich and is sharing dirty selfies with someone she doesn't want Grandpa to know about... being able to steal and use that information will probably be worth much more than the value of the phone itself.
By definition, if Grandma's phone contains high-value information, then it contains high value information. In that case, Grandma should take more steps to protect her high value information. Yes, if you just rewrite the premise to the question, the answer changes.
This is some really sloppy thinking you're engaging in here. Rewriting questions to obtain the desired answer is a very dangerous cognitive habit to get into.
In this argument we are trying to find a balance between convenience and security - - but it's not possible. Anything that is easy for me to do to unlock a phone can be faked and/or hacked.
I'd rather just have an NFC chip hidden on my body that I had to tap the phone on before entering a numeric value on a randomized keypad.
About the only person I use even a pin lock around on my phone is my girlfriend, and that's just because she gets upset if I communicate with any girl. Fingerprint is fine for that purpose. Anything else I wouldn't bother locking it at all, I'd just disconnect the phone from my accounts if it is ever lost.
Wiping a phone in dfu mode removes the password as well. I learned the hard way when I forgot my pin and had to wipe and restore.
It also bypasses activation lock because phones sold overseas are usually sold to countries that do not subscribe to the national blacklisted imei database and this won't block the device on their network.
No they're not. A username is something you intentionally give out to other members of some community so they can identify you. A username is by definition not secret at all, and it must necessarily be easy for others to replicate. It is not easy to replicate a fingerprint.
Makes sense. Just like in a PGP web of trust, where that key is your unique identity, so will these fingerprints be. But it's a lot riskier to use them as your passwords (either against the NSA or other dedicated hackers).
Have there been any attempts to ascertain PINs by analyzing the finger residue left on touch screens? That strikes me as something that would be pretty easy (for an expert with the right gear), especially if patterns were used.
This article is missing its own point. Username+password combinations are nothing but an identification means. Fingerprints solve the same purpose.
The issue this article should be trying to shed light on is one of inadequate fingerprint scanners, not that fingerprints themselves are compromised. Make a scanner that requires epidermal prints, and go from there.
I've been using it for about a week or so now. It's incredibly convenient. It unlocks my phone almost instantly. It prevents random people near by phone from being unable to unlock it. If a thief got their hands on it, they'd have a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.
All in all TouchID basically removes almost the entire burden from the security of having a locked phone. It's actually faster to unlock my phone with TouchID than codeless swipe to unlock, so it's a no-brainer to turn it on. It doesn't matter that the NSA probably has my fingerprints, in practice it prevents most people from getting into my phone in a way that is transparent and easy to use. If the spooks want my data, they can already get it.