Security

Apple Touch ID: Do security advantages outweigh risks?

Tom Olzak examines the security pros and cons associated with Apple's fingerprint authentication technology on the new iPhone 5s.

touchid.png
Fingerprint scanning is a popular form of biometrics. It’s easy to implement and inexpensive compared to other forms of body feature scanning, and it is far better than voice recognition (Olzak, 2010). By itself, however, it is not a cure for weak passwords when protecting highly sensitive information. This is why Apple’s introduction of Touch ID with the iPhone 5s is both a good idea and just one layer of mobile device security.

Fingerprint biometrics

Biometrics-based access controls measure a physical feature or something produced by a human. For example, fingerprint characteristics are a measure of physical features; voice recognition or typing analysis are forms of biometrics created by human action.  

The fingerprint or other characteristics are not themselves stored. Rather, an algorithm converts characteristics to a numeric value, which is stored in a secure location. This is done during registering a user with a biometrics solution. When the user presents his or her measured characteristic to a sensor for future access, the algorithm once again converts it to a value and compares the new value to the stored value. If they match, identity is verified and authentication is successful.

The process of using fingerprints for identity verification is open to forgery. For example, some scanners are fooled with fingerprints created with a printer or gelatin cast. The security of a sensor depends on the time and effort devoted to development, the algorithm used for characteristic-to-value conversion, and the balance between false positives and false negatives: the crossover error rate. Balance is either built into the system or managed by the user/administrator.

Finally, sensors don’t always work as expected. Damaged or dirty sensor surfaces can be big issues. In addition, changes to fingerprint characteristics due to injury or other causes can cause biometrics solutions to deny a user access. Another challenge is the longevity of a fingerprint. While users can change passwords or PINs regularly, undamaged fingerprints remain the same forever.

Apple’s fingerprint sensor on the new iPhone 5s comes with all these challenges.

Touch ID

The new iPhone, to be released on September 20, has a fingerprint sensor built into the home button. (See Apple’s Touch ID YouTube video… please excuse the marketing hype.) In addition to enabling easy security with quick access, rumors abound as to whether this is a first step toward NFC implementation: something still missing from the 5s. But along with advantages of ease of use come all the challenges of single-factor biometrics authentication, including forgery, false negatives, and employee mistrust of biometrics.

Apple does the right thing by storing the converted biometrics measurement in a secure location on the iPhone: the new A7 chip. It is never shared outside the phone. Although this is good news, it still doesn’t prevent fingerprint forgery. How well the iPhone handles forgeries is still unknown. However, I expect we’ll see how easy—or hard—forgery is as hackers aggressively go after this new opportunity.

Forgery defense is best mounted by using a second authentication factor (Olzak, 2010). For example, in addition to fingerprint verification, a password is used. Using two-factor authentication is not a viable solution for many organizations. However, when highly sensitive data is involved, it is the best protection. Two-factor authentication can decrease the probability of unwanted access to levels recommended by associated risk assessments (Olzak, 2012).

False negatives occur when the fingerprint verification process incorrectly rejects a registered print. Employee frustration runs high when access to a device is blocked due to technical failure. Blocked access to a phone will raise employee annoyance to new highs. Apple deals with this by requiring the creation of a PIN at the time of fingerprint registration that provides a workaround when biometrics fails.

Many users will resist using Touch ID. The myth persists that someone, especially the NSA or other government agency, will grab fingerprint data for nefarious purposes. If an iPhone vulnerability exists that allows theft of fingerprint values, it will be useful for bypassing the actual fingerprint. However, attacks of this nature usually require special technical resources. The advantages of Touch ID outweigh the risks. User education is an important part of implementation, including the fact that Apple encrypts the values before storing them in a secure location.

None of Apple’s Touch ID controls works well when an iPhone is physically in the hands of an attacker. Fingerprint biometrics combined with a password is no replacement for Internet-based device location and data destruction services, such as Apple’s Find My iPhone and McAfee’s Mobile Security. It also doesn’t replace controlling with automated policy enforcement (e.g., MobileIron and Good Technologies) what users can do and store with their iPhones. Apple’s Touch ID does not supplant layered mobile security controls.

Takeaways

  • Touch ID provides the means to secure user iPhones while providing quick access.  Security controls supporting Apple’s fingerprint biometrics include fingerprint value encryption, requirement for a PIN during registration, and storage of Touch ID information in the A7 chip.
  • While Touch ID is an innovative step toward securing mobile devices, it suffers from the same vulnerabilities as other fingerprint identification solutions: forgery, sensor challenges, and user resistance.  
  • No single control is enough to protect sensitive data; this applies to all devices, including the iPhone.  In addition to remote destruction of data on lost or stolen devices, controlling what users can access, what they can do with the data accessed, and implementing multi-factor authentication where appropriate still remain important controls supporting any fingerprint biometrics implementation.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

4 comments
SeanPConrad
SeanPConrad

When you wrote" rumors abound as to whether this is a first step toward NFC implementation" I think you missed the mark. Apple is not going to do NFC. Ever. With TouchID with Bluetooth 4.0  and Bluetooth Low Energy (BLE) are the final nails in NFC's coffin.

Read this: http://seekingalpha.com/article/1696142-apple-may-have-just-killed-nfc-and-revolutionized-another-major-industry-part-1

People will embrace TouchID for one simple reason - it's easier. When being secure is easier than even "Slide to unlock" people will embrace it. Fears are one thing, but as soon as people see how easy this is and how much time it will save them it will be embraced.

the_tech_mule
the_tech_mule

I think this all depends on what you're trying to protect. If the phone is simply holding contacts, minor personal information, game data etc., then single-factor authentication, whether it be a PIN, password, or fingerprint, is probably fine. If it's holding corporate data, health records (let's hope not), access to personal banking information, etc., then two-factor authentication is definitely preferred. 

I don't know if the new iPhone allows for both a fingerprint and a PIN/password to achieve two-factor authentication, but I hope that is the case. I think it would be a serious security limitation if it was just one or the other. The fact that the iPhone does include a fingerprint option and a PIN/password option is good.

It will be interesting to see where this takes us.

Tom Olzak
Tom Olzak

@SeanPConradPossibly.  But until Apple clearly states that it won't support NFC, we can't be sure.  After all, Apple is fighting a battle against Samsung, a company that outsells Apple by a significant margin.  It will be tough for Apple to displace NFC and force retailers to either support their version of RF checkouts, for example, or provide both services.  This is a wait and see issue... 

Tom Olzak
Tom Olzak

@the_tech_mule As the article states, Apple REQUIRES a PIN for a workaround in case Touch ID fails to authenticate the users.  However, you can configure the device to require both a passcode and Touch ID.