Schneier on Security
A blog covering security and security technology.
« The TSA Is Legally Allowed to Lie to Us |
| Matthew Green Speculates on How the NSA Defeats Encryption »
September 11, 2013
iPhone Fingerprint Authentication
When Apple bought AuthenTec for its biometrics technology -- reported as one of its most expensive purchases -- there was a lot of speculation about how the company would incorporate biometrics in its product line. Many speculate that the new Apple iPhone to be announced tomorrow will come with a fingerprint authentication system, and there are several ways it could work, such as swiping your finger over a slit-sized reader to have the phone recognize you.
Apple would be smart to add biometric technology to the iPhone. Fingerprint authentication is a good balance between convenience and security for a mobile device.
Biometric systems are seductive, but the reality isn't that simple. They have complicated security properties. For example, they are not keys. Your fingerprint isn't a secret; you leave it everywhere you touch.
And fingerprint readers have a long history of vulnerabilities as well. Some are better than others. The simplest ones just check the ridges of a finger; some of those can be fooled with a good photocopy. Others check for pores as well. The better ones verify pulse, or finger temperature. Fooling them with rubber fingers is harder, but often possible. A Japanese researcher had good luck doing this over a decade ago with the gelatin mixture that's used to make Gummi bears.
The best system I've ever seen was at the entry gates of a secure government facility. Maybe you could have fooled it with a fake finger, but a Marine guard with a big gun was making sure you didn't get the opportunity to try. Disney World uses a similar system at its park gates—but without the Marine guards.
A biometric system that authenticates you and you alone is easier to design than a biometric system that is supposed to identify unknown people. That is, the question "Is this the finger belonging to the owner of this iPhone?" is a much easier question for the system to answer than "Whose finger is this?"
There are two ways an authentication system can fail. It can mistakenly allow an unauthorized person access, or it can mistakenly deny access to an authorized person. In any consumer system, the second failure is far worse than the first. Yes, it can be problematic if an iPhone fingerprint system occasionally allows someone else access to your phone. But it's much worse if you can't reliably access your own phone -- you'd junk the system after a week.
If it's true that Apple's new iPhone will have biometric security, the designers have presumably erred on the side of ensuring that the user can always get in. Failures will be more common in cold weather, when your shriveled fingers just got out of the shower, and so on. But there will certainly still be the traditional PIN system to fall back on.
So...can biometric authentication be hacked?
Almost certainly. I'm sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability -- or maybe just a good enough printer -- can authenticate his way into your iPhone. But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about.
The final problem with biometric systems is the database. If the system is centralized, there will be a large database of biometric information that's vulnerable to hacking. A system by Apple will almost certainly be local -- you authenticate yourself to the phone, not to any network -- so there's no requirement for a centralized fingerprint database.
Apple's move is likely to bring fingerprint readers into the mainstream. But all applications are not equal. It's fine if your fingers unlock your phone. It's a different matter entirely if your fingerprint is used to authenticate your iCloud account. The centralized database required for that application would create an enormous security risk.
This essay previously appeared on Wired.com.
EDITED TO ADD: The new iPhone does have a fingerprint reader.
Posted on September 11, 2013 at 6:43 AM
• 69 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"A system by Apple will almost certainly be local -- you authenticate yourself to the phone, not to any network"
Until the NSA comes knocking. Instant database, and Apple can't tell anyone. Or perhaps there's just a backdoor built in that sends it directly to Utah.
fingerprint scanning is ok to secure an iPhone but dangerous for more expensive items...
"Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system"
Also seeing NSA has access to iCloud/iPhones anyway, it will now give them free access to the largest and most accurate biometric recognition database in the history of mankind by matching a phone to a person, their fingerprints, photos, data, calls, emails and messages.
Avoid like the plague. Avoid a closed source phone with highly likely backdoors. Avoid a phone with a front facing camera (which identifies exactly who is using it). Avoid one that captures your private fingerprints and other information.
Open source, privacy based with full encryption is the only way.
"But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about."
It's hard to imagine a situation when a bad guy has your iphone and does not have your fingerprints. Mine has them all over, and probably in good quality. Typing in a reasonably sized password is not so big a hassle.
Also, there is the role: Its not designed to replace a GOOD passphrase, and its not even really intended for those who pin lock the phone.
Its really intended for the 50%+ of people who don't lock the phone at all! Having the phone locked is a pain, and a fingerprint reader should allow pin-lock level protection against most adversaries without the hastle.
Since a 4-digit PIN is brute-forceable in 20 minutes on the phone, a 4-digit PIN really provides very minor protection anyway against a determined adversary. Rather, it is intended for casual adversaries.
"So...can biometric authentication be hacked?"
There is no need to hack it as long as you can circumvent it.
And as long as the old PIN system is there as a fallback, it can be circumvented by the same means that are used to hack into PIN secured devices. (peeking over the shoulder, or the old fashioned rubber hose cryptanalysis)
It would be intresting if the fingerprint itself would be used to encrypt data, rather than only have the fingerprint unlock access to the encryption key, as this would remove the need to store the key on the device.
And no three-letter-agency can extract what is not there. On the other hand, as mentioned in the article, you leave your fingerprints everywhere you go...
Also, Apple is being very insistent that the fingerprints are kept in the local secure store on the phone. IF that is the case, and IF there isn't an unknown back door, the fingerprints really really don't leave the phone.
If the NSA wants your fingerprints, they just ask the DMV...
Since the announcement was yesterday (not "tomorrow") I'm guessing this was written a couple days ago and just published today. Any chance of a quick update w/r/t the ability to auth to the iCloud account (since that was reportedly one of the features announced)?
To respond to the comment about fear of severed fingers, I think I'd just hand over my PIN to any machete wielding criminal threatening to cut off my finger(s)! That tactic works whether the phone has a fingerprint reader or not.
My Samsung phone model is a cheap one and doesn't take Replicant, which sucks. It's gotten to the point where you simply cannot trust the communications device you're carrying. It has your location, it has a camera, it has a microphone, it has a list of your social contacts, your mail, your photos, your browsing and shopping habits. Because of the abusive data mining features of apps you can't be sure whether they're taking any of this or not. I simply keep as little as possible in it and turn it off, using it only when it's strictly necessary.
Why do you need centralised database to authenticate to iCloud? Can't you have a local secured password store with your iCloud credentials that is accessed with the fingerprint? Sort of like you have a master password protecting your password keychain in KeePass and other software. Yes, you would need to enter your password once, but you would not need to enter it every time you use your account to buy iTunes songs and AppStore applications.
I'm with you.
I would like to see a personal alternative to apples iCloud.
A simple to use cloud stored in a personal server or NAS at home with encrypted disks. Phone to cloud auth would be key based. Public or perhaps self generated ones and transfers encrypted.
As of now I do kind of this myself but its a mix of VPN back home and file transfers of only a few items. It involves several apps and is not simple enough.
I would live to see a more complete solution for address book, notes, images and movie, stored PDFs etc.
I want away from cloud services in other countries with shady jurisdictions and government info tapping.
I want a secure and complete private cloud which I am in full control of.
Is there one?
I'm not sure the NSA cares about a physical fingerprint database, it's not like they're going to crime scenes and looking for physical evidence (the FBI on the other hand might be very interested). The NSA cares about what the physical fingerprint is protecting. Why coerce Apple into building, maintaining and providing access to a database when instead they can coerce them into providing a back door they can use at will without involving apple once implemented? The Feds can pretty easily compel fingerprints already, all 10, not just the one you choose to put in the phone. Question is can they reverse compelled fingerprints back to something to unlock your phone, and is that legal (not that they care about legality)
Additionally, I'm assuming Apple isn't storing biometric data (even on a phone, instead of in a database) in a way that can be reversed to an identifiable fingerprint. Instead I assume they one way hash the fingerprint data (hopefully with something slow like PBKDF2, bcrypt or scrypt) and store that. For the Apple ID, I assume the password is stored in the ios keychain and the fingerprint hash is used to decrypt that, the password then sent in the same manor as the typed password.
I'm curious about claims of fingerprint scanning reducing claims of deniability/anonymity. Fingerprint systems provide a much higher guarantee of identity than a password.
I enabled face recognition unlocking on my phone for a while but gave up because it was simply too unreliable. It's great when it works and annoying when it doesn't and it was a fail rate of about 15% of the time. It's this lack of predictable behaviour which kills the feature.
I doubt a fingerprint scanner to be much better. We use one to clock on at work and it fails about 1 time in 10.
I guess it would be even worse if it succeeds when it shouldn't.
I could imagine that authenticating to the ICloud will work in a way where the correct fingerprint sends the stored password?
But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about.
If some bad guy has your iPhone, then he already has your fingerprint.
@Nicholas, breaking an old fashioned PIN is not a 20 minute brute force task. The third time you enter the PIN incorrectly, it asks for a PUK. 10 wrong attempts on the PUK, and the SIM is toast for good - and when your phone settings are like they should be, your phone is erased too.
that was also one of my first thoughts -- some not-so-sophisticated criminal going after your phone and your index finger
I guess, that a finger print ID could decrease the value of a stolen phone on the black market, but maybe could also escalate the violence in a robbery.
Also, Apple is being very insistent that the fingerprints are kept in the local secure store on the phone.
Hmm I wonder just how secure that local store is, usually people design the security to prevent data being read out not written in or over written.
If the memory can be over written it opens up the possability of putting somebody elses finger print data in, which might in turn alow more than basic access...
As normal what we need is more technical details than an "out of space" marketing view point for the fanbois.
A centralized DB for iCloud auth based on fingerprints could be hashed (using slow password hashes) fingerprint templates (not entire images)... although not sure if matching an input template that is password-hashed can allow for confidence-level calculations of features. Certainly could do a threshold calculation where some subset of hashed feature/locations would have to be present in the input as compared to the reference. Someone must have solved this problem and I'm just sitting here babbling.
Just as I'd thought an initial paper in 2007 about using slow symmetric hash functions on features within a template and then performing matching in hash space:
Sergey Tulyakov, Faisal Farooq, Praveer Mansukhani, & Venu Govindaraju. (2007). Symmetric hash functions for secure fingerprint biometric systems. Pattern Recognition Letters, 28(16), 2427–2436. Retrieved from http://www.researchgate.net/publication/...
As much as I'm apprehensive of the TouchId, I don't understand the reaction of people from US talking about the NSA getting access to their fingerprints. Don't the US citizens already give nice and clean fingerprints to the govt when they get an SSN. (And passport too, I think?)
Also, visitors to the US give nice clean fingerprints to the US Govt at the immigration.
So what backdoor are you exactly worried about?
This sounds like the gimmick IBM offered on its T60 laptops.
As biometrics go it's not very secure - perhaps a front-facing camera with an appropriate lens could do a retina scan as they do at airports now?
ST, I find all this attachment to personal communicators bewildering. I carried a mobile for 10 years until I realised that it was more of an intrusion than a convenience. I have a mobile - basic, pay as you go, bought with cash - which I carry (turned off - much to the chagrin of people who expect me to be instantly available) only for emergencies.
The social expectation that people should carry "trackers" like these is becoming so entrenched that it's a form of peer-pressure. Those who don't carry are considered "odd". A psychology that the marketers have doubtless embraced.
I want a secure and complete private cloud which I am in full control of. Is there one?
Yes, but it's different. The regulars all do the same thing, the only difference being whether you have the keys or they do. That translates to who gets blamed when your stuff gets hacked. There are advantages and disadvantages of both. But, yes there is a different solution, and it's cool, but it's different, and sadly no one wants different.
Its really intended for the 50%+ of people who don't lock the phone at all!
If a phone manufacturer wants me to lock my phone, they need to provide a way that I can lock it and disable or remove the "Emergency Call" button.
The only reason I don't lock my (stock, currently not reflashable) Android phone is that if I do lock it, it will eventually dial 911 while in my pocket. This is not theoretical - it has done so before.
Fingerprints are not a proven unique identifier. Often, partial prints are enough to get you convicted by a jury. So basically, any time there's a crime and your prints come up as a partial match on the computer, you have to prove you're innocent. Good luck with that. It's a lot harder than it sounds!
We leave fingerprints everywhere. Like all over our phones. Security wise, I've seen better ideas.
Fingerprints are trivially captured from items we touch every day. They are equally trivially reproduced. Let me see your fingerprints for a minute to xerox them, and $8 at Radio Shack for a circuit board photo etch kit, and I can forge your prints anywhere, anytime, sufficient to fool any existing security device. Heartbeat, blood flow, electrical conductivity, temperature, you name it! I can commit murder and leave your prints at the scene in the victim's blood. It's scary. Why would you willingly put your prints into a database?
It's also troubling how folks are actively prevented from proving fingerprints are unique. You're not allow access to the fingerprint databases if you want to test that hypothesis. At the very least, we would expect some duplicates through the birthday paradox.
As far as I know, and I have several kids, the SSN only requires footprints, not fingerprints. Perhaps they've changed it recently...
I know I just found out I need to submit my fingerprints, and pay a fee, to run a lunchtime computer club at my kid's school. Utter joke security. Trivial to fake and bypass. But somebody somewhere is building a database. Guess what I'm not doing now. I'll teach my kids at home. Their classmates will lose out.
Q: Is there a one-way function that can be used for biometric data from fingers to protect the database from leaking to unauthorized attackers, and still enable the correct validation/invalidation of the user? This seems to be an interesting question in the light of recent events! Maybe this Q has obvious answer, but I am new to this and if so, I did not use the right search keywords.
@Bruce, 1e6 thanks for all your efforts!
There was a great Myth Busters episode where they (supposedly) fooled even the (supposedly) high-end fingerprint scanners. Those that checked temperature and pulse etc.
I won't spoil what methods worked for them but they tried latex and photocopies....
It may not be academic the usual research but still, go watch!
@Joe Hall, Oops. missed that! That was what I was looking for!
My biggest issue with biometric "keys" is that they're always exposed and can't be changed. With modern cameras, it's easy to get a good high-quality picture of the human eye from quite a distance. We leave out fingerprints everywhere. So if those get compromised, how are we to secure the system from there?
Laser Surface Authentication -
Just want you security people ponder about this physical tech, which I think is pretty cool. It is not biometrics but more like "objectometrics". There are many interesting applications, just one could be unforgeable dollar bills, or if you had an LSA scanner in your computer, you could make a key out of almost any object.
The PIN lock on the iPhone is not the SIM lock, but a lock on the phone's logic. It is brute forceable at about 1 try/s with a cable connection, no limit.
@Winter - those aren't on PCs, just server motherboards.
Hmmm.... Anybody know where I can get an armed Marine?
If that catches, on, that is the end of burner phones and anonymity.
But who needs anonymity and secrets if you aren't doing anything wrong...
(assuming that the phone companies have to provide fingerprints with their court-required metadata dumps to the NSA)
Solid Post Bruce! Interesting points and I do agree that their exists the possibility for security holes with this new biometric system on the iPhone. I also think, that for the average person, this won't be an issue. For the average person, just setting up some type of security, whether it be a pin for a fingerprint, is going to go a long way. I could see someone with very important info on their phone being slightly worried though.
@ Nicholas Weaver
"If the NSA wants your fingerprints, they just ask the DMV..."
Yeah, but can the DMV tell the NSA exactly which phone to track?
And what about false positives? How unique is the finger-print data that's used? 99.9% accuracy might be good enough as an access condition, but what if your finger print looks almost like Mr. Snowden's?
What about privacy issues? What are the possible (worst-case-scenario) consequences of letting an IT company have your fingerprints?
(My own screen name differentiates me, explains that I am neither cryptographer nor code monkey, while explaining my interest in security).
"I'm not sure the NSA cares about a physical fingerprint database, it's not like they're going to crime scenes and looking for physical evidence (the FBI on the other hand might be very interested)."
From Der Spiegel, August 26, 2013 (Laura Poitras is one author, she is a Snowden document handler) "According to this document, the diplomats were asked to gather numbers for phones, mobiles, pagers and fax machines. They were called on to amass phone and email directories, credit card and frequent-flier customer numbers, duty rosters, passwords and even biometric data ." (emphasis added). http://www.spiegel.de/international/world/...
If biometrics are used to secure data, the NSA has an interest. Additionally, the NSA does not exist in a vacuum. It is supposed to share its "product" (after suitable cleaning to disguise the source) with not only other intelligence agencies, but also relevant "customers" (i.e. State, Treasury). The fingerprint of a certain Mr. or Ms. "Vowel - Overflow" might be a valuable trading card for the NSA. Fingerprints are used in traditional espionage investigations to determine, for instance, who has handled a document.
I believe the NSA has already demonstrated a clear hoarding pathology.
Just one question that comes to mind: what about self incrimination ? We all heard about the issues on coercing someone to relinquish a password - I don't think the case has been yet fully decided. But what about refusing to put your finger on the reader ? Is that something you can legally refuse ? What about (physically) forcing you to do it ? Any (legal) opinions !?
One way to implement such taking the sensor and interweave it with a Physical Unclonable Function (PUF) or a controlled PUF. A PUF has the same properties as a random secure hash function. In addition, it has a unclonable properties that protects agains invasive attacks (i.e. scraping off layers of the cpu in order to detect it workings ). The intrinsic properties of PUF can be used for secure key storage as well as secure channel setup, which make it ideal for such as finger print scanner.
"Its really intended for the 50%+ of people who don't lock the phone at all!"
And for the people who, when asked to reauthenticate for things like iTunes purchases, consider it such a pain that they systematically weaken their passwords in order to avoid repeated failures.
One might consider that they get what they deserve, but strong password auth in mobile contexts is a problem, especially for people who don't have password experience in desktop/laptop computing. Touchscreens and software keyboards aren't amenable to complex passwords, and don't provide the feedback of physical keyboards.
This isn't to downplay the issues of using fingerprints for account services on top of simple unlocking, even if it's mediated by the Keychain API, but to contextualize the existing baseline.
@Marcus • September 11, 2013 12:31 PM
"@Winter - those aren't on PCs, just server motherboards."
The question was about building/enlisting secure private cloud. I assume he will want to use servers for that cloud, not PCs.
"if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about."
Wouldn't your fingerprints be right on the phone itself? Prints can be lifted, replicated, etc. The average iphone thief is just after the hardware, and may take advantage of any creds he can get his hands on. But if somebody is after your iphone data, then yes, your fingerprints are all on it.
The security its a essentials problem in the new gadgets, but the design and the image..thats moving the MKT engine...
I think so that, the iphone is a new history with bad men, bad engineers, good designs, with new ideas....no matter whos, no matter when, no matter where.....
and its a good article.
The problem with Biometrics is that it solves the wrong problem. Authentication "Who you are" isn't the concern, its authorization "what you can do" You can solve who you are with a human (guard, security officer...), it works exceptionally well everywhere except Hollywood movies.
I see Apple's move in a different light. It really isn't about securing phones but about the security-corporation complex conditioning people to accept biometrics as a "normal" part of life, in the same way that fingerprinting kids did to parents. If some phones are secured as a by-product that is a nice secondary effect.
@ Tom, Marcus and Winter
Thanks guys. I'll look into those links and systems.
@ P R White,
Hmmm.... Anybody know where I can get an armed Marine?
Err no, but if you want to take a chance on it, I can do you a good deal on a One Armed Bandit.
PUF's are just today's version of magic-pixie-dust, truth is PUF's only exist in the minds of those people lacking the technical skills to reveal a PUF;s secrets.
If you really want to understand what I'm saying than abandon the futile search for better PUF's and become a real world expert on high tech failure analysis. Once you've skilled up in this area come back and address the original PUF concept.
Damn this English language -
The iPhone "fingerprint" is almost certainly not a "fingerprint". The iPhone has a sensor and software that compares "sensor stuff" against "registered sensor stuff" and authenticates if they are "sufficiently similar". A "fingerprint" is a latent image or inked image of the ridge pattern on a human finger which can be compared for similarity by a forensic expert. There is absolutely no reason to believe that the biometric sensor stores a ridge pattern or that it stores anything that could be recognised by a forensic expert. Also, DNA is not the same as "forensic DNA". DNA is a (very likely to be unique to an individual), enormously complex molecule. "forensic DNA" is a sequenced set of the lengths of a few pieces of DNA that has unknown uniqueness properties (and that is ignoring possibilities of contamination, processing error ...)
To create an analogy regarding my previous DNA statement. "Forensic DNA" is a standardised hash of "Real DNA" with unknown collision statistics.
It is asserted to be true that for individual i that
forensicDNA(DNA(i,t1)) = forensicDNA(DNA(i,t2)) where t1 and t2 are separate instances of time in the lifetime of individual i. DNA is the function of taking a DNA sample from individual i and forensicDNA is the function of making the DNA fingerprint/hash of a DNA sample.
It is asserted to be true that for (distiinct) individuals i and j that the probability of
forensicDNA(DNA(j)) = forensicDNA(DNA(i)) is infinitessimally small. ie that it is "legally safe" to take
forensicDNA(DNA(i)) = forensicDNA(DNA(j)) if and only if i = j
Fingerprint readers can indeed be useful at the convenience end of the access control spectrum.
On a phone, fingerprints can be very useful for selective access control. Given "locked screen" state:
- Left middle finger / "Salute to authority": Immediately shuts down device (and good luck with the LUKS key).
- Right index finger / "Nothing to see here, officer": Unlocks vanilla applications only.
- Right middle finger / "Salute to authority with cherry on top": Same as "nothing to see here", but also sets up video+audio stream to ACLU servers.
- Left pinky, if applied during secret time window after screen activation / "Dr Evil mode": Unlocks all apps.
Of course none of that works in the context of a lawless government that sponsors wire fraud against phone OS users.
Regarding the "me button" on the Apple iPhone 5s:
-- Every iPhone 5s phone will be effectively tied to a real person in an almost incontrovertible manner, provided the real person has submitted his/her prints anywhere/anytime in the past. This means every website, every email message, every app used, every password entered, every text, every picture, etc.
-- It would be incredibly simple for Apple to watermark all the digital images produced by an iPhone with a concise, perhaps undetectable, electronic representation of the current user's fingerprint, so if you take a picture and send it to someone, it will be easy to track it back to you.
-- Technically every single action that you take on your phone will be tied to you, by fingerprint. There will be a "logon" record of a print, various user actions, and then a "logoff" record of a print. Dependent on what the user does, there will also be some set of additional print records captured as the user presses the home button during the course of normal phone usage.
-- As this usage data is "moment in time", it allows reasonably non-noisy tracking who is using the phone at any given moment, quite helpful for gathering data on families, extended families, friends, significant others, and, of course, black market networks. For the most part, it will be quite easy to tell who did what on the phone.
-- It would be relatively easy to make a device that takes as input the giant database of existing captured prints and then gives a fingerprint scanner the representative electrical signals. In practice, it probably wouldn't work 100%, as they would have to make some guesses about the electrical properties of a wide variety of fingers, but it would give law enforcement a quick way of unlocking many things secured with a modern fingerprint lock, such as the new Apple phone. If there is a proliferation of similar fingerprint locks, say across multiple electronic devices, then all it takes is one "key" to open all the locks.
-- Of course, it is even more likely that the iPhone 5s has a "master print" built into the chip that unlocks any device. Given the various news articles recently, this wouldn't be surprising in the least. All one would need is an e-finger that emits the proper "master print" unlock signal. This doesn't even have to be anything like a finger, just something that can adequately send signals to the Authentec sensor.
-- The likelihood of Apple collecting all the biometric data from the millions of "me buttons"... and not sharing it with the NSA and others... is precisely zero. With all that has been revealed about the NSA-Apple partnership, it is clear that the NSA is calling the shots and will have access to all the "me button" data. It would be virtually impossible for anyone to detect whether or not this data had been shared, so there is little to no downside of collecting it to Apple and all sorts of potential upsides for Apple, the NSA and others.
On the whole, the "me button" seems like a small gain in casual security, i.e. temporary and mostly meaningless safety, but at the price of a large loss in liberty, i.e. the ability for me to be secure in my possessions and my communications.
What are the chances that the iphone owner's prints are on his own phone ?
To me it looks the same as putting the key under the rug in front of the door it opens.
My question is short.
I have a few trusted friend whom I have told my PIN code to my phone. It's useful. If I'm busy, I may see a reply and hand my phone to them and say "could you just reply for me please and dictate to them as I do something tricky for them with two hands myself. My dad does it if he's driving - I'll answer his phone and I know his passcode. Adding individual fingerprints to the database is a fucking hassle. I'm not adding mine, my dads, my best friends, etc etc etc. what do I do now?
Japan introduced fingerprinting of foreigners on entry to the country after 9/11 as an "anti-terror" measure (Apparently all terrorists are foreigners, or all foreigners are terrorists, or something). In practice, it is more often seen as an anti-immigration measure. It hasn't proved 100% effective:
'Fake fingerprint' Chinese woman fools Japan controls (BBC News).
I'd be wary of any security system where the weakest link is a body part. I wonder how long it will take before we see the first "thieves cut off iphone user's finger" story?
"It's a different matter entirely if your fingerprint is used to authenticate your iCloud account. The centralized database required for that application would create an enormous security risk."
Indeed. For fingerprints to become acceptable as online authentication credentials, fingerprint templates need to be cancelable and irreversible. Without that, online storage of fingerprint templates is a terrible idea.
When will the first drunk/sleeping fingerprint-login face rape occur?
When will the first instance of US Customs forcing someone to press their thumb against the reader to get into the phone?
Will you be able to refuse to give you thumb to the police?
There are so many cuestions that need to be answered about the feature.
NSA must be salivating, they will potentially have every iPhone users fingerprint on file.
I totally disagree with Bruce in this point. I consider the fingerprintreader as the perfect tool for the NSA. This misuse of technology is implemented to every technology and the NSA will use every effort to take advantage of this unacceptable feature of the new iPhone. For those who speak German - I have written my very different opinion on this technology in a blog post: http://pretioso-blog.com/...
The only notable benefit to fingerprint verification is that it increases credibility of the person (like online shopping).
In fact, it weakens anonymity/privacy and security. Imagine being asleep/drunk or your adversary simply force-pull your finger.
Then, there is a nasty possibility of your fingerprint record being gathered by rogue spy or hacker. One can never have a peaceful mind with such feature.
As the Chaos Computer Club people who just announced hacking the iPhone scanner point out:
"iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands."
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.