On September the 10th, Apple unveiled the new iPhone 5S in its music oriented September keynote presentation.
Just before the 1 hour mark Senior VP of Hardware Engineering Dan Riccio appeared in a promotion video and stated: “Your fingerprint is one of the best passwords in the world. It’s always with you and no two are exactly alike.”
Privacy is one of my chief concerns and passwords are my specialty. As much as I am a fan of Apple I have to call this statement erroneous at best. I’d like to explain why…
The most crucial hallmark of a solid authentication system is that it relies on a secret to verify your identity. This has always been true, even before the advent of computers. Fingerprints are not secrets. It’s literally that simple.
In case you weren’t already aware, you’re leaving your fingerprints everywhere you go. Pick up your iPhone right now. How many prints do you see on the screen? I can see four on mine, two of which are rather fresh.
Hating on Passwords
Yes, passwords are a pain.
Nobody will contest this. Not a week goes by without some enterprising startup promising to kill the password off once and for all. To much applause I might add. From single sign-on systems and biometrics to simple dongles that use physical possession to prove your identity, ALL have failed and the password has lived to see another day.
Obviously as the developer of KEYBOX, a password and secret management app, you’d naturally think I was biased on the subject.
Quite the contrary however. If somebody does come out with a non-password authentication system that is truly secure, works everywhere and with everything, doesn’t lock me into a single vendor, and cannot be lost or stolen I will gladly stop development of KEYBOX and present a fist full of dollars at him/her.
It just hasn’t happened yet. Passwords, for all their faults, do make for excellent secrets.
So is Apple’s iPhone 5S the chosen one?
I’m afraid not.
It’s only been about one week since the iPhone 5S’s release and hackers have already bypassed its TouchID technology simply by lifting fingerprints. What was once the sole domain of James Bond and Maxwell Smart is no longer.
Granted, you have to be dedicated to lift prints off a glass surface. But if somebody steals your iPhone he has all the time in the world to try.
What concerns me most are all unintended consequences of this technology. We’ve already seen images like the one above where a family member takes advantage of your sleeping to break into your iPhone. Yes, it’s meant to be comical but such cases are nonetheless real.
Consider the less comical scenario where a stop-and-frisk police officer grabs your hand and forces your thumb against the iPhone 5S’ home button against your will to gain access to it.
Sound paranoid? In nations where forced confessions of innocent people occur why wouldn’t this happen too? Perhaps gaining access to your camera roll could expose embarrassing photos the police could then use to coerce and bribe you.
The possibilities are a bit frightening. In all my years in this industry I’ve learned one absolute truth: If technology makes something possible it will happen. We’re only one week into this technology so expect to see more developments as people gravitate towards it.
I’ll give Apple some credit here. It certainly managed to not repeat the Windows fingerprint reader debacle of last year and by storing the fingerprint within a cordoned off section of the CPU it is demonstrating that it does want to protect our security/privacy. Apple also made the wise decision not to expose this functionality to 3rd party app developers, some of which cannot be trusted with it.
Now, let’s say Apple eventually augments/fixes its TouchID sensor technology to discern between real and fake thumbprints, and most iPhone 5S users adopt it. It still will not kill off the venerable password. It doesn’t change the fact that a fingerprint is not a secret.
At best, fingerprints will be a novelty used by people who just can’t be bothered to learn about real security. Of course, fingerprints combined with passwords offer more security but most people will quickly realize that fingerprint scans just slow us down if we’re still relying on passwords.
I’ve seen it all and I believe the past tells us the future of security. More than ever I’m confidently putting my money on passwords going on to see yet another day.