Image of the glider from the Game of Life by John Conway
Skip to content

Identification Versus Authentication

Recently, Apple announced and released the iPhone 5S. Part of the hardware specifications on the phone is a new fingerprint scanner, coupled with their TouchID software. Immediately upon the announcement, I wondered how they would utilize the fingerprint. It is unfortunate, but not surprising, that they are using your fingerprint incorrectly.

To understand how, we first need to understand the difference between "identification" and "authentication". Your fingerprint should be used as an identifying token, and not an authenticating one. Unfortunately, most fingerprint scanner vendors don't follow this advice. In other words, when you scan your fingerprint, the software should identify you from a list of users. After identifying who you are, you then provide the token to authenticate that you are indeed the correct person. This is generally how usernames and passwords work. You provide a username to the login form to claim that you are indeed the correct person. Then you provide a password or some other token to prove that is the case. Your figerprint should be used as the identifying token, such as a username in a login form, rather than as the authenicating token, such as a password.

Why? Here's some concerns with using fingerprints as authentication tokens:

  • Fingerprints can't be changed easily. Once someone has compromised your account by lifting your print off of a surface, you can't just "change your fingerprint".
  • Fingerprints are easy low-hanging fruit for Big Brother. If faced in a situation where you must turn over your authentication tokens, it's much easier for Big Brother to get your fingerprint, than it is to get a long password.
  • Lifting fingerprints is easily hacked. They provide very little security. Further, your fingerprints are everywhere, especially on your phone. If you lost your iPhone 5S, or it's stolen, the bad guys now have your fingerprints.

To illustrate how easy that last bullet point is, the Chaos Computer Club posted a YouTube video on breaking the TouchID software with little difficulty. And they're hardly the first. Over, and over, and over again, fingerprint scanners are quickly broken. While the tech is certainly cool, it's hardly secure.

While I like to throw jabs and punches an Apple, Inc., I expected much more from them. This seems like such a n00b mistake, it's almost hard to take seriously. A fingerprint scanner on a phone would make sense where multiple users could use the device, independent of each other, such as the release of Android 4.2, where multiuser support was added. Scanning your finger would identify you to the device, and present a password, pattern or PIN entry dialog, asking you to authenticate. That's appropriate use of a fingerprint scanner.

{ 8 } Comments

  1. Svetlana Belkin | September 23, 2013 at 8:21 am | Permalink

    About your last point about expecting more from Apple. I think this where OpenSource and Ubuntu Touch can shine because it can improved into better secruity system of IDIng first via fingerprint scanner than a password or PIN as you said.

  2. Svetlana Belkin | September 23, 2013 at 8:29 am | Permalink

    (I think I may have misread that part about Android 4.2 though not all phones have a built-in fingerprint scanner)

  3. Joseph Scott | September 24, 2013 at 8:15 am | Permalink

    There are other angles to this. Reports have indicated that the vast majority of people use no passwords on their phone at all. So one question becomes, would using a finger print be worse than no password at all?

    Security options don't exist in a single vacuum situation, there are many levels and trade offs. On top of that it isn't even a one time thing, you might be ok with finger print scanning under normal situations but then switch to long passwords while traveling.

  4. Aaron Toponce | September 25, 2013 at 8:38 am | Permalink

    Is using a fingerprint scanner for authentication worse than no password at all? No. Does using a fingerprint for authentication provide any security over no password at all? No. Not to the determined at least. Having a fingerprint used for authentication isn't going to worsen the security of the phone. It just won't increase it either.

  5. Keith Zubot-Gephart | September 26, 2013 at 1:16 pm | Permalink

    Worth noting that Android 4.2 only introduces multiple users for phones. This appears to be because of a patent, sigh.

  6. Keith Zubot-Gephart | September 26, 2013 at 1:17 pm | Permalink

    Err, by phones I mean anything that's NOT phones, so mostly just tablets. Oops.

  7. Steve Barker | September 30, 2013 at 2:51 pm | Permalink

    On a practical level I'd hate to have to use a fingerprint to work my phone. It takes on average 5 attempt to read my fingerprint going into work each morning!

  8. Vincent Hamilton | September 30, 2013 at 5:45 pm | Permalink

    I think many would agree with you in terms of absolute security, even those who created it at Apple. However, much of engineering is about scope and I think TouchID is not attempting to improve absolute security. Rather, I believe the goal is to improve general security. For example, once the majority of the user base is using some sort of code (be it, a short PIN, a long passphrase and/or fingerprint) that also means that those devices are storing encrypted data (according to iOS' security policy). Also, once TouchID is available across the product line, there's no reason Apple couldn't offer other permutations of "fingerprint + X" for all-around increased security.

    The idea is that the more people use it, the more it becomes a part of the general system infrastructure. Said infrastructure can then be built upon. There's little reason to be disappointed in what Apple has released. If they did what you are proposing, I think that uptake would be minimal and therefore irrelevant. Passphrases as a device access barrier have been available in iOS for sometime now. It's a highly-personal computer though and having to enter a passphrase whenever you want to use it is not ideal.

    Look at the defaults that come on a TouchID setup: once enabled, the device requests authentication upon every sleep/wake cycle. Also, anytime the device is restarted, a short PIN or passphrase is requested, fingerprint alone is not sufficient.

    I would recommend a wait-and-see stance here. If the current state of affairs is not iterated upon over the coming quarters, then I encourage there to be an uproar created.

Post a Comment

Your email is never published nor shared.