Fingerprints as passwords: New iPhone Touch ID gets mixed security verdict (Updated)

Of all the new features of Apple's new iPhone 5S, few have drawn more attention than the built-in fingerprint scanner known as Touch ID. Apple billed it as an "innovative way to simply and securely unlock your phone with just the touch of a finger." More breathless accounts were calling it a potential "death knell for passwords" or using similarly overblown phrases.

Until the new phones are in the hands of skilled hackers and security consultants, we won't know for sure if Touch ID represents a step forward from the security and privacy offered by today's iPhones. I spent several hours parsing the limited number of details provided by Apple and speaking to software and security engineers. I found evidence both supporting and undermining the case that the fingerprint readers are an improvement. The thoughts that follow aren't intended to be a final verdict—the proof won't be delivered until we see how the feature works in the real world.

The pros

I'll start with the encouraging evidence. Apple said Touch ID is powered by a laser-cut sapphire crystal and a capacitive touch sensor that is able to take a high-resolution image based on the sub-epidermal layers of a user's skin. While not definitive, this detail suggests Apple engineers may have designed a system that is not susceptible to casual attacks. If the scans probe deeply enough, for instance, Touch ID probably wouldn't be tricked by the type of clones that are generated from smudges pulled off a door knob or computer monitor. In 2008, hackers demonstrated just how easy it was to create such clones when they published more than 4,000 pieces of plastic film containing the fingerprint of a German politician who supported the mandatory collection of citizens' unique physical characteristics. By slipping the foil over their own fingers, critics were able to mimic then-Interior Minister Wolfgang Schauble's fingerprint when touching certain types of biometric readers.

Read 15 remaining paragraphs | Comments