After my previous blog post about the potential benefits and drawbacks that one may experience using Apple’s new Touch ID fingerprint technology, I thought it might be time to revisit the topic following some additional coverage and some time for the technology to get in the hands of the masses (myself included).


One of the best points I’ve read is that the Touch ID technology, and more broadly biometrics in general, is more suitable to the role of identification. Authentication rather, is the process of validating the identity of a requestor of resources. In this role, the fingerprint or other biological qualifier establishes the identity of the requestor that is making an attempt to authenticate, and additional information is needed to prove or validate that identity. Usernames rarely change, but passwords should be updated periodically. Biometric qualities of a user should rarely- if ever- change- which sounds an awfully lot like a username…


Authentication can be accomplished using one or more of four factors with:

  • Something you know (a password)
  • Something you have (an electronic access card or token)
  • Something you are (typically biometric but can include a signature or photo)
  • Someone you know (a trusted third party verifies identity)

Multi-factor (and the most common variant being two-factor) authentication is said to be more robust as it uses more than one of these factors to further verify identity. Looking at the list above, passwords can be changed, access cards and tokens can be reissued, and good standing with a third party can be reevaluated at any given time. Biometric qualities, however, rarely change- at least barring horrific accidents, deliberate mutilation, or other statistical outliers. But even so, they wouldn’t change more often than even the most lenient of password aging requirements and …I have to admit- I did not consider that angle and now it makes a lot of sense to me! Practices So, where does Touch ID lie within this process of authentication? Interestingly enough, I think it sits just where I last left you. Let me explain. First, we still don’t know if the NSA, FBI, or Russian mobsters can acquire and misuse this data …I’d like to see more information on this Second, does anyone you know log into their mobile device with a username? No? At best, it’s just a PIN for device-wide access? At worst, the device is unprotected at all times? Interesting, interesting. So, my reasoning from my first blog stands, and I have additional support for said reasoning. To rehash what I said in my previous blog, increased usage of a device PIN rather than an unlocked device, increased usage of even more complex device passwords, and, as a bonus, more complex iTunes account passwords are all reasons to move to Touch ID (and more generically biometrics for similar applications). Additionally, after using the device myself, I have noticed that the when Touch ID is activated, device security improvement is mandatory in that the device must lock “immediately” and a delayed lock is no longer an option. I have also seen research that device PINs can be reliably reconstructed using none other than the fingerprints left on the glass after entering the PIN, meaning there is still less exposure with a single fingerprint scan. Either way, I hope we receive additional clarification regarding Touch ID in the next month or so as Apple responds to lawmaker inquiries about it.


Get the Newsletter

Every two weeks we'll send you our latest articles along with usable insights into the state of software security.

Posts by Topic

View Full Topic List