Following the usual hubbub and fervor surrounding an Apple product keynote, I expected there to be some reaction to the new Touch ID feature of the iPhone 5S- especially in light of recent privacy violations conducted by various governments and their agencies. I was surprised, however, to see some initial reactions from some of my security colleagues of many years to declare that a fingerprint scanner was a deal-breaker that might send them to Android.
Privacy
I will admit one thing: after a few seconds of initial excitement over the Touch ID feature of the soon-to-be-released iPhone 5S, I felt some of that security paranoia creep in:
- Do they store your fingerprint on the device?
- How do they store it?
- If an attacker gets that data, what can he or she do with it?
- Do they send it off the device?
- How do they store it wherever it ends up?
- Wherever it ends up, can the government troll through it at their leisure?
Apple addressed some of these points in the initial announcement keynote, but can 95% of the target market even verify those claims for themselves? Furthermore, what if any of those claims were subject to a classified disclaimer that Apple was under gag order not to reveal? Oh yes, my friends… the rabbit hole goes quite deep.
Preaching
After a bit of consideration, I realized that it’s really about secure practices- following them and furthering them and, to be honest, following my own advice! I currently use a 4-digit PIN on my iOS device (despite my recommendation for a complex password to others) directly as a result of following the best practice to set my device to lock immediately. Entering a complex password every time I want to open up my device can be seriously inconvenient- prone to error, slowing access, and frustrating. As always, security is a tradeoff with something else… in this case: usability. So, I have accepted the risk of using a relatively insecure 4-digit security PIN in order to lessen the impact on the devices’ availability to me. Knowledgeable attackers (whether government agents, corporate espionage professionals, or an alpha geek) can break into a device protected with a weak PIN rather quickly- but the pin still keeps out happenstance criminals, inebriated mischievous friends and colleagues, and my 5 year old son… so it’s better than nothing*. *Though if my 5 year old is anything like his older brother, that statement should be qualified with “for now” since he successfully socially engineered my wife’s device passcode from her in order to bypass the Kindle’s time limit restrictions and play more Angry Birds Star Wars.
Practices
So, how does Touch ID help improve practices? The idea is that by simply knowing that I will be using my passcode much less frequently- perhaps once per boot of the device, or if I have a Snickers in July and for some reason can’t authenticate using my fingers- I will set a desktop-class password on my mobile device. Setting aside paranoia may or may not decrease the security of my data or personal information, but this change in behavior (of a security professional no less) shows a clear furthering of actual security in practice. The same thing follows for the iTunes account password- I’m sure there are those out there that dread entering a complex password on a mobile device…or worse, an Apple TV where you must use the tiny remote. I’m hoping these users will follow suit. I already use a very complex password for my iTunes account since it is a password for a remote service and guards a credit card linked account, but I can imagine this as being another weak password for many mobile users out of convenience. And thus far, unlocking the phone and iTunes purchases are the only features optionally guarded by the Touch ID functionality. If the complexity of these two credentials is increased for a majority of iOS device users and iTunes account holders, and is the only benefit from the Touch ID that we see, I would say it’s worth it. I’m sure there are more uses and advantages in the works for Touch ID and we’ll re-evaluate this “risk assessment” when we reach that point. Most notably, several people have made an “about-face” on their initial reaction for one reason or another. Maybe I just presented a very logical argument- that conveniently tips the scale toward a shiny new upgrade… ;-)
Follow Mike on Twitter @SafelightCoop
Continue the Conversation @SafelightSec
