Apple made a big deal out of its new Touch ID fingerprint sensor in the iPhone 5s unveiling. Hackers with lots of time on their hands made an even bigger deal out of demonstrating that the fingerprint authentication could be tricked. Even if it can be hacked, though, the Touch ID fingerprint authentication is still a huge benefit for iPhone 5s security.
I already wrote a post yesterday outlining why the Touch ID hack is irrelevant and silly. The hackers claim it’s a simple hack that can be done with common household materials, but few—if any—homes I know of are stocked with a camera capable of taking a 2400dpi photo, or a printer that cranks out 1200dpi images at a thick toner setting, or happen to have some spare latex milk laying around.
Why is a hackable biometric authentication method a huge benefit for iPhone 5s security then? Simple. It’s better than nothing.
The relative strengths and weaknesses of Touch ID itself aside, it mainly serves to augment the passcode and simplify authentication. But the primary value of Touch ID from a consumer standpoint is that many consumers are too lazy or apathetic to enter a passcode, but enabling Touch ID requires also setting up a passcode. Some security is better than no security at all, and Touch ID gives people incentive to use some security.
Many of the comments I got in response to my previous post miss the point that we’re not comparing fingerprint authentication to passcode authentication—we’re comparing some authentication to no authentication at all. Some of the responses were just tinfoil conspiracy theories about jealous girlfriend’s surreptitiously logging in to your iPhone using your finger while you’re sleeping, or concerns that Apple is collecting and maintaining a massive database of complete fingerprint images.
I don’t know about scary girlfriends. If that’s a concern, I think you need to examine your relationship, not your smartphone authentication. I can say with relative confidence that Apple isn’t cataloging identities and capturing fingerprints, so you can take off the tinfoil hat.
In all fairness, though, enabling Touch ID may not make sense from a business perspective. The fact is that company policy should already mandate the use of a passcode, and smart companies will enforce the use of more complex passcodes rather than relying on a 4-digit numeric PIN.
Now, if Apple starts letting Touch ID be used as a second method of authentication in addition to the passcode, then it becomes valuable from a business security perspective as well. A passcode may be guessed or cracked. A fingerprint can be faked with enough effort. But, if accessing crucial data required both, it would make it very, very difficult for any attacker to compromise.