This weekend's decisive defeat of Touch ID is the most poignant reminder yet of the significant limitations of using fingerprints, iris scans, and other physical characteristics to prove our identities to computing devices. As previously reported, a team of German hackers who have long criticized biometrics-based authentication bypassed the new iPhone feature less than 48 hours after its debut.
Many security researchers and writers, yours truly included, predicted that the ability of the high-definition scanner included in the iPhone 5S wouldn't be fooled by attacks using scanned fingerprint smudges to impersonate an already enrolled thumb or finger. It's now clear we were wrong. Hacker Starbug overcame the purported ability of Touch ID to read prints at a sub-epidermal level by using a slightly higher resolution camera to generate a cloned fingerprint. The availability of a laser printer also seemed to help.
Some critics have castigated the technique as too difficult for the average hacker. Others have argued that the hack has little significance in the real world. They cite Apple talking points that the protection of Touch ID represents a significant improvement over what many people have now, since a large percentage of iPhone users currently use no PIN at all to lock their phones. There's some merit in this second argument, since any protection, no matter how flawed, is better than none at all. But as Rob Graham, CEO of penetration testing firm Errata Security makes clear, Starbug's technique is easy for many people to carry out.