LOL So much for Apple's touch ID "security"

[Red Storm]

The best way to protect the data on your phone is by NOT losing it in the first place. If someone has your phone and is trying to swipe fingerprints on your phone to get to your data you are already fucked. The additional downside is now apple has your fingerprint and can give it to whoever they want, like law enforcement agencies.

I wholeheartedly agree with this. I don't even have a lock screen on my phone but I don't leave my phone laying around, heck I don't even drop it because I know it's an expensive piece of tech and should be treated as such.

 

[Eug]

Hint: it's not the implementation, it's the TECHNOLOGY. Fingerprint ID technology, in a nutshell, sucks and is also unnecessary on a phone as it doesn't protect it better than a pincode (which has already been mentioned, can be set to wipe your phone after a few retries).

Like I said, you're free to stick with your ill-informed bias, based on experience from outdated implementations and old technology. The rest of us (including many skeptics like Anand) will likely adopt it and add it to our daily use.

And then we will demand it on competing products.

And as mentioned probably 100X already in this thread, the whole point of fingerprint authentication is NOT that it's more secure than a pincode, because it likely isn't. The point is that it's way, way more convenient. If you're arguing the former, you've completely missed the point, and judging by your posts, that seems to be the case.

 

[seepy83]

The hardware implementation is here, and done well. What you're talking about now is an evolutionary feature for iOS, and I too hope they will implement that for some 3rd party apps.

My point is that 2-factor auth using the fingerprint reader should have been there from day 1. Forget about integrating with 3rd party apps...that's a larger, more complex, problem than implementing 2-factor to only unlock the device, and 3rd party integration could have been the next "evolutionary feature".

Apple, and other big tech companies, have an incredible amount of influence on what the average person expects from a given technology. Without steering the general public towards using the fingerprint reader for 2-factor auth, Apple has helped to perpetuate the general public's notion that fingerprints are a good way to solve the "I can't remember all these different passwords" problem. You leave fingerprints on everything you touch, so your credentials are all over the place. You can't revoke your fingerprints and issue yourself new ones, so when they are compromized and replicated, they are completely useless for secure authentication. The methods that people have used to produce replica fingerprints to bypass TouchID have been known and publicized for at least 5 years. Apple, with their very large devoted-customer base, should have done the responsible thing and used TouchID as an opportunity to educate the general public on the downsides of single-factor fingerprint authentication, and the benefits of 2-factor.

 

[Eug]

My point is that 2-factor auth using the fingerprint reader should have been there from day 1. Forget about integrating with 3rd party apps...that's a larger, more complex, problem than implementing 2-factor to only unlock the device, and 3rd party integration could have been the next "evolutionary feature".

Apple, and other big tech companies, have an incredible amount of influence on what the average person expects from a given technology. Without steering the general public towards using the fingerprint reader for 2-factor auth, Apple has helped to perpetuate the general public's notion that fingerprints are a good way to solve the "I can't remember all these different passwords" problem. You leave fingerprints on everything you touch, so your credentials are all over the place. You can't revoke your fingerprints and issue yourself new ones, so when they are compromized and replicated, they are completely useless for secure authentication. The methods that people have used to produce replica fingerprints to bypass TouchID have been known and publicized for at least 5 years. Apple, with their very large devoted-customer base, should have done the responsible thing and used TouchID as an opportunity to educate the general public on the downsides of single-factor fingerprint authentication, and the benefits of 2-factor.

Just about nobody would use 2-factor authentication for unlocking a phone. Requiring this would doom it to fail miserably.

The issue here was NOT about increasing security. The issue here was about making the unlock process less annoying. We who use passcodes must type in the passcode many times a day. Arguably, it's the thing some people do the most on their phones, ironically. This is to address that annoying problem of having to type in passcodes all the time.

That said I could see adding 2-factor authentication as an option, and I think that will happen sooner rather than later. However, while I could see them adding it for the lock screen as an option, I see that as less likely than 2-factor authentication for 3rd party apps.

 

[PowerYoga]

Apple doesn't have "new" technology, they've put a fingerprint scanner on the phone and that's it. You're free to tell yourself it's different from all the other "outdated" technology when it's just a dressed up pig. A redundant well dressed up pig.

And you seem to be confusing something: I never said the iphone didn't execute the concept well, I said the TECHNOLOGY of the fingerprint scanner itself is the problem. I've read anand's review and I'm sure they did marvelously good jobs with their scanner. I've also preferred fingerprint scanners over my password at work, it's faster and I do prefer it over typing my 10 letter password, but it fails at times, and it will fail occasionally on the iphone too. It also doesn't mean I want to put it on everything.

My argument is it's not necessary on a phone, because in my personal opinion, you don't really need a pincode or security on your phone to begin with unless you're incredibly careless. And with the fingerprint scanner less secure, what's the freggin point? The technology is a redundant security feature on a device that doesn't really need it.

If you lose your phone, you are fucked already, and I personally don't have a pincode or image swiper or anything on my phone because I'm not careless with it.

 

[Eug]

I personally don't have a pincode or image swiper or anything on my phone because I'm not careless with it.

I hope you never get mugged. I also hope you are 7' tall and look like Arnie in his younger days so you will never get mugged.

Like I've suggested before, if you think this is always within your complete control, you are just hiding your head in the sand.

 

[PowerYoga]

I hope you never get mugged. I also hope you are 7' tall and look like Arnie in his younger days so you will never get mugged.

Like I've suggested before, if you think this is always within your complete control, you are just hiding your head in the sand.

Here's a thought: If you're being mugged you shouldn't be worried about your fucking phone.

 

[Eug]

Here's a thought: If you're being mugged you shouldn't be worried about your fucking phone.

If I'm being mugged, I'm probably going to be primarily worried about being mugged and whether or not I'm going to live.... but secondarily also my cash in my wallet, my drivers' licence, my credit cards, and yes, my phone.

If you claim you'd never worry at all about any of that secondary stuff, you're either probably lying to us or else lying to yourself.

 

[PowerYoga]

If I'm being mugged, I'm probably going to be primarily worried about being mugged and whether or not I'm going to live.... but secondarily also my cash in my wallet, my drivers' licence, my credit cards, and yes, my phone.

So again, if your phone is out of your hands you are fucked with or without security. What part of "if you lose your phone you are fucked" are you not getting?

 

[seepy83]

Just about nobody would use 2-factor authentication for unlocking a phone. Requiring this would doom it to fail miserably.

The issue here was NOT about increasing security. The issue here was about making the unlock process less annoying. We who use passcodes must type in the passcode many times a day. Arguably, it's the thing some people do the most on their phones, ironically. This is to address that annoying problem of having to type in passcodes all the time.

That said I could see adding 2-factor authentication as an option, and I think that will happen sooner rather than later. However, while I could see them adding it for the lock screen as an option, I see that as less likely than 2-factor authentication for 3rd party apps.

You are I are just looking at this from completely different viewpoints. My career is in Information Security, and I saw Apple's TouchID as an opportunity for them to increase the security of their product. You, like the general public, just see it as a way of making it easier to unlock your phone without care for the decreased security that it creates.

They didn't need to require 2-factor auth, they just needed to make it an option.

 

[Eug]

You are I are just looking at this from completely different viewpoints. My career is in Information Security, and I saw Apple's TouchID as an opportunity for them to increase the security of their product. You, like the general public, just see it as a way of making it easier to unlock your phone without care for the decreased security that it creates.

I deal with population based metrics all of the time. Having 80% using a slightly worse method is often much better overall than having 40% using a more robust method.

They didn't need to require 2-factor auth, they just needed to make it an option.

I agree.

So again, if your phone is out of your hands you are fucked with or without security. What part of "if you lose your phone you are fucked" are you not getting?

If they have my phone, I'd rather not have them looking through my daughter's pictures, making long distance calls, or futzing about with my personal data on the phone.

I mean, why do you think some people want that phone-wipe-after-10-wrong-passcodes feature anyway? Do you think it's just because it makes it more exciting when entering passcodes?

 

[openwheel]

You say potAYto, and I say potAhto.

I just see overstretched reasoning to claim TouchID as a "highly secure" feature, because it is not. It's not only gimmicky, it's redundant. I understand the love for a highly sought after brand, but why would anyone want to give away their fingerprint to any company?

I love Rolex, but I would never give them my fingerprint for anything.

 

[Eug]

Maybe Apple marketed it as highly secure, but I would disagree with them then. But like I said, if you're still arguing that point in this thread, you've still completely missed the point of the arguments in this thread.

 

[PowerYoga]

I mean, why do you think some people want that phone-wipe-after-10-wrong-passcodes feature anyway? Do you think it's just because it makes it more exciting when entering passcodes?

THANK YOU, which brings us back to the point of security all over again, as per my initial post. Understand the implementation of the technology might be great on the phone, but that doesn't make it any less redundant than the more secure pincode, or make the technology "newer" than the "outdated" ones currently out there. It's the lowest grade of "security" traded off for convenience on a device that doesn't need it.

Don't dress up the pig, and try not to lose your phone. This technology is not new nor revolutionary.

 

[openwheel]

errr, the point of this thread is:

drum roll please: LOL So much for Apple's touch ID "security"

It started with discussion regarding how secure TouchID is. Hackability, real life usefulness, and likely scenarios. After I wrap my brain around everyone's argument, I just see a gimmicky and redundant feature. Just my 0.02.I am all for James Bond style gadgets (Walter PPK with palm print activation anyone? Now that would be impressive and truly useful), but I just don't see it here. Trust me I would be very honest to give kudos like the efficiency of iOS, but I just don't see it here.

 

[Eug]

THANK YOU, which brings us back to the point of security all over again, as per my initial post. Understand the implementation of the technology might be great on the phone, but that doesn't make it any less redundant than the more secure pincode, or make the technology "newer" than the "outdated" ones currently out there. It's the lowest grade of "security" traded off for convenience on a device that doesn't need it.

Just because a new method is offered to take the place of another method does not make it redundant.

If it adds a much higher level of convenience, then people will adopt over older less convenient methods, esp. if the level of efficacy is in the same ballpark.

try not to lose your phone.

Again, this advice is basically akin to hiding your head in the sand.

This technology is not new nor revolutionary.

No it isn't. Apple does invent a fair bit of stuff, but arguably their real forte is utilizing existing technology and actually make it work well for the end user.

The iPhone 5S is the only product I've ever seen that has a fingerprint scanner I'd actually want to use.

 

[bearxor]

I have a question that might reinject some debate.

Has Touch ID really been hacked?

It's my understanding that the accepted hack was done by scanning a high resolution fingerprint of the enrolled individual, not by actually "lifting" a print.

I understand that the concept is the same as faking other finger print readers, but how often will a real data thief have access to a high resolution image the print they're trying to fake?

 

[PowerYoga]

Just because a new method is offered to take the place of another method does not make it redundant.

If it adds a much higher level of convenience, then people will adopt over older less convenient methods, esp. if the level of efficacy is in the same ballpark.


Again, this advice is basically akin to hiding your head in the sand.


No it isn't. Apple does invent a fair bit of stuff, but arguably their real forte is utilizing existing technology and actually make it work well for the end user.

The iPhone 5S is the only product I've ever seen that has a fingerprint scanner I'd actually want to use.

great, enjoy your fingerprint reader. Try not to lose your phone.

 

[Eug]

I have a question that might reinject some debate.

Has Touch ID really been hacked?

It's my understanding that the accepted hack was done by scanning a high resolution fingerprint of the enrolled individual, not by actually "lifting" a print.

I understand that the concept is the same as faking other finger print readers, but how often will a real data thief have access to a high resolution image the print they're trying to fake?

There was a second video. I didn't watch all the way through and didn't read a summary of their updated method, but it implied they managed to do with a print directly (not a scanned finger) because they put the phone on the scanner directly. Even if they didn't, it definitely will be possible to do it this way. It's only logical someone will bypass it this way eventually. (However, assuming they did do it this way, I also assume they made it easy for themselves by ensuring a nice clean and complete print was there to use, which is usually not the case for thumb prints.)

However, the assessment from the security guy is that it's very hard to do. Not only do you have to really understand the technology and the methodology, even then you may or may not be successful, and thereby risk the phone going in to passcode-only mode.

It's definitely something a casual thief would not pick up quickly just by reading a description of it at Gizmodo. It would take some serious trial and error, with the right equipment and supplies, although I'm sure some larger stolen phone rings would probably get enough of these to be able to have one of their guys learn how to do it more consistently.

Overall though, this is the point. It's a non-trivial task. It most definitely can be done, but it requires real work and real knowledge/experience to make it work. That is enough for me, given the convenience of TouchID.

In that context it provides a level of security much better than not using a passcode, but it is way more convenient than using a passcode. Apple has beautifully struck a balance here in their implementation, if Anand's and everyone else's reviews (as well as my assessment through the demo app) are to be believed.

 

[dontl00katme]

The guy pulls a pristine fingerprint from a perfectly clean screen (at least it's what it looks like). I would like to know if it is possible to do the same on a screen full of overlapping fingerprints, dust... real usage.

 

[openwheel]

I don't think anyone is worried about having their fingerprint stolen from the home screen or a coffee cup. That story is the same with or without iPhone 5S. If they want your fingerprint, and you are important enough, they'll get it somehow, CSI style.

What concerns me more is the storage of this data. Where is the data going? Who has access to the fingerprint data? More importantly, why would I want to provide such data to a private company?

 

[Eug]

Apple claims the print never leaves the phone, that it isn't stored as a print image, and the data is encrypted and then stored in a walled area in the SoC dedicated for this purpose. Furthermore, if the phone is left unused for a long period of time, the data gets deleted, and you have to retrain the system.

The authentication system never releases the alphanumeric print data either. It just releases a yes/no answer as to whether or not the print was authenticated. So as designed, if a 3rd party app whats to use the fingerprint scanner, all it can ever know is whether the print is authenticated or not authenticated. It is prevented access to the actual underlying data.

Now what about hacking the system to gain access to the print? Possibly, either with local access or a 3rd party app that somehow exploits currently unknown vulnerabilities in iOS 7, but it would still have to reverse engineer the data storage methodology for the print and also would have to break the built-in encryption. To put it another way, this is extremely complicated.

 

[openwheel]

Complication does not guarantee security, however.

What happens when apps gain access to the info on a jailbroken iPhone?
How about imitation?

I can handle losing my phone and compromising my email/cloud data, but I don't know about losing my one and only fingerprint along with it.

 

[MrX8503]

I don't think anyone is worried about having their fingerprint stolen from the home screen or a coffee cup. That story is the same with or without iPhone 5S. If they want your fingerprint, and you are important enough, they'll get it somehow, CSI style.

You're creating scenarios that don't exist. If you're that important you would have other security measures. This isn't a pass code for nuclear warheads. Lol.

Like I said, overblown.

 

[BoberFett]

Blood test. D:

If it supports other bodily fluids, that could work as well...