…basically because I don’t currently own any iPhone, not because I don’t like the look of them but because I’m not very cellphone-oriented and I can get its other functionality on lots of other gadgets. So I won’t be reviewing the fingerprint reader technology any time soon. There are, of course, already reviews of the 5c and 5s out there: Richi Jennings rounded some up for Computer World’s IT Blogwatch.
However, speculation about the implications about the fingerprint scanning on the 5s is more – well, speculative… For Internet Evolution, Kim Davies wonders whether in future, instead of just stealing your iPhone, Bad People will take your finger and possibly an arm or two as well. For Wired Marcia Hoffman suggests that Apple’s Fingerprint ID May Mean You Can’t ‘Take the Fifth’. Apparently:
Some even argue that Apple’s move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers).
I’m not a fan of static passcodes, but I think that’s a little premature. I have seen it suggested that two-factor authentication is declining in usefulness, but I can’t see it being replaced by single-factor biometric technologies: if anything, the trend is towards more multi-factor, as it should be. 100% solutions rarely maintain a record of 100% protection. Still, Hoffman’s thoughts on the implications for US readers as regards the Fifth Amendment are interesting. The article also suggests:
Here’s an easy fix: give users the option to unlock their phones with a fingerprint plus something the user knows.
As I say, I’m not in a position to examine a 5s, but I’d be surprised if that weren’t already an option. As passcode technology goes, the iOS version is – potentially – fairly effective, since it can be limited in the number of authentication attempts it allows (leaving aside PIN bypass bugs and assuming you don’t use an idiotically simple PIN selection strategy). And assuming that Apple doesn’t – or hasn’t – weakened its own security in order to prioritize user convenience.
When ESET commented in its blog on the likelihood of a fingerprint-scanning phone, someone did remark that Mythbusters had proved that ‘fingerprint scanners can be bested with a wet piece of paper’. I don’t think I’ve ever seen that programme, let alone that episode, but the Wikipedia entry for that episode – is there anything that isn’t recorded on Wikipedia??? – indicates that only one fingerprint scanner was tested, and that “the door-scanner ended up being fooled much easier than the low-tech fingerprint scanner on Jamie’s laptop”…
David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow