“The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.”
The system demonstrated by the Chaos Computer Club in the video does not require any special technology.
Most any password system can be hacked. The four digit code which is used to lock Apple’s iPhone is not all that secure, giving you a maximum of 10,000 permutations. A “secure” password should have at least 8 alphanumeric digits and mixed uppercase and lowercase letters. Even then, you would want to back it up with two factor authentication. A four digit passcode is already rather inconvenient for many people. A lot of people would rather simply leave their phones unlocked. Unless you work for the NSA or are with the R&D department of a company, you certainly are not going to want to use an 8-digit alphanumeric passcode.
Whether or not TouchID can be fooled, I think we can still all agree that it is a sufficient level of security for unlocking your phone. A phone unlocking system only needs to be secure enough to give sufficient time for you to discover that your phone is missing and take appropriate measures. What should you do? Contact your carrier so they can cut your SIM card and disconnect it from your cloud services. For good measure, some of you may want to do a remote wipe if you kept anything particularly interesting on your phone.
Again, unless you work for the NSA or are with the R&D department of a company, somebody who steals your phone will just want to do a factory reset and hawk your phone to a buyer. What is worrisome is not someone stealing your phone and being able to unlock it. It is someone using a different device to mimic you online.
So a fingerprint scanner is useful to secure a device, even if it can be fooled. It has been used to secure laptops for years. But really, you should not rely on TouchID to secure iTunes, or to replace passwords for your email account, cloud services or anything involving money. Fingerprints are poor “passwords,” for the following reasons:
1. Depending on where you live, they are probably on file in several places.
2. You leave them wherever you go, including your missing phone.
3. They cannot be changed. You have ten fingerprints you can rotate at most. Only four are ergonomically comfortable to use.
The advantage of the traditional password is that it is only in your head, some secure password vault, or maybe scribbled on a piece of paper in your night stand.
Motorola dabbled with fingerprint scanners on their phones a few years back. I am not sure that Android manufacturers will adopt fingerprint scanners for security wholesale. Android already has a convenient way to unlock your phone: pattern lock. I can unlock my Android in two seconds with pattern unlock without ever looking at the screen. It really does not offer more security than a four digit or five digit passcode, but is a good balance of security and convenience.
No authentication system will ever be completely secure. But most people do not need absolute security and a fingerprint scanner is a good balance between convenience and security. Even than, old advice should be heeded. Do not use one universal key as your password for various accounts and services. If you need top grade security, the Chaos Computer Clubs TouchID is not it. “We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token.”