This weekend, in an inevitable bit of hacking, the Chaos Computer Club (CCC) successfully foiled the iPhone 5S fingerprint reader via the age-old technique of lifting a fingerprint and using it to create a latex mold.
A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.
Er, not exactly.
One of the logical traps that the CCC falls into here is that the group assumes that, just because they foiled the iPhone’s biometrics, that makes the entire TouchID authentication system useless. There are a few reasons why that doesn’t make much sense.
First, Apple hasn’t sold the iPhone 5S’s fingerprint reader as a unhackable alternative to the passcode. All security systems — including biometrics-based ones — are flawed in some way, and TouchID is no exception.
More, the TouchID technology was created in response to one basic observation: iPhone users have been so annoyed by the process of inputting passcodes that half of them have stopped using passcodes altogether. TouchID fills that gap by being so easy to use that it’s almost invisible.
Some security is better than no security at all (and two-factor authentication better than them both).
And then there’s the process of making the fake fingerprint itself. While the CCC maintains that the materials needed to make the fingerprint mold can be found “in almost any household,” that line just doesn’t hold up. How many people do you know who have cameras capable of taking images at 2400 DPI, 1200 DPI printers, and latex milk. Precious few I’m sure.
Likewise, it’s telling that the CCC didn’t go out of its way to also record the process of making the mold — likely because of how long it takes. Most thieves just don’t have that kind of time.
In other words, the entire process of creating a fake fingerprint and fooling the iPhone 5S’s fingerprint scanner is so involved and time-consuming that it significantly limits the chances you’ll ever see such a technique used in the real world. (This is a common theme with these kind of proof-of-concept security breaches, by the way.)
All of this underscores the basic reality about TouchID: For most people, it’s just good enough. And that, not the “hacking,” is what’s really important here.