Does the iPhone 5s Give Passcodes the Finger? No, Not Yet. (Updated)

Your rating: None (4 votes)

There is a lot to like about Apple's new iPhone 5s announced Tuesday. The faster and 64-bit chip, the battery-saving M7 motion processor, the really nice camera. And gold, if that's what rings your bell. But for enterprises, the headline features seems to be "Touch ID", the fingerprint sensor built into the home button of the top-end phones.

It is clearly a leap forward, and journalists are getting very excited. But we need a reality check here, as there are some subtle but critical details that don't seem to be getting attention. Touch ID is not going to replace your passcode, it isn't more secure than your passcode, and it isn't two-factor authentication. If used properly, it can improve security for many of us. And in truth, it is a hell of a lot better than nothing.

Let me 'splain what I'm thinking.

Passcode required

Today, the key info about this feature comes from an article in the Wall Street Journal. An unnamed Apple representative says this:

Apple customers who wish the use Touch ID also have to create a passcode as a backup. Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours.

The way I interpret this statement is this: the passcode is, as today, the primary means of securing the device. The passcode is always available. The fingerprint sensor is an alternate means on unlocking the device, but the passcode will always be there. The fingerprint sensor is, in a sense, a shortcut to the passcode.

No additional security (unless you add it)

An iPhone with no passcode is like leaving the door to your house wide open.

Use a passcode, and you've closed and locked that door.

Not only is the phone locked, but you are now encrypting the data on your phone. So even if someone breaks open the hardware and removes the chips, your encrypted data is safe.

Introduce Touch ID, and here's what you have:

Now you have two ways into your house: Use the same passcode door as before or use the fingerprint door. If one door doesn't let you in maybe the other will. To me, it is clear this is not more secure than one door. If your passcode is "1-1-1-1" then I don't care about your fingers, I'll just enter through the passcode.

The standard 4-digit numeric passcode is pretty easy to crack. There are only 10,000 combinations, after all, and if you enter them through a tethered connection you can try them pretty quickly. But if you don't use a 4-digit numeric passcode, you get a lot more secure.

But there is a way Touch ID can enable stronger security. Since the fingerprint is effectively a shortcut around a passcode, I can now make a really difficult passcode to get into my phone. A passcode with 18 characters and symbols and caps and emoji and stuff. A passcode that was so difficult to enter that it would drive me crazy if I needed to enter it every 5 minutes. But if I need to enter the complex passcode only when rebooting the phone (almost never) or after 48 hours idle (absolutely never) then I can live with that.

Better security, but only indirectly enabled by biometrics.

Not two-factor authentication

Maybe you can see by now that the fingerprint sensor on the iPhone 5s does not provide two-factor authentication. 2FA is like two locks on the same door.

I use Google 2-Step Verification for my Google accounts — you should too — and that makes me happy. When I use that I need to enter BOTH my password and my 1-time code. [Experts will say this isn't true 2FA, but it keeps me feeling warm and fuzzy.]

Way better than nothing

Greater improvements to security are to come in iOS 7. On setup, users are prompted — actually encouraged even — to enter a passcode. And apps used to have to opt-in to use the protected data store; now it is on by default.

In truth, we should remember that not enough iOS users enter any passcode. Instead they leave their door wide open. Maybe having the fingerprint sensor is going to be just cool technology and smart shortcuts to get people to lock their front doors.

Update: You may know that using Mobile Device Management, configuration profiles, and/or ActiveSync, an administrator can require a passcode. I've heard many people asking if there will be a similar key to require a fingerprint. If I'm right in my thinking, we won't see that. If I'm right that the current implementation otherwise diminishes security (slightly), we'll see a key to disable fingerprint sensing instead.

Update 9/22: Yup, right. The new Configuration Profile Reference has a key "allowFingerprintForUnlock" that defaults to true. So you can disable fingerprint unlock, but not enforce it. Oh, and the CCC claims it has just cracked Touch ID using a high-resolution photo.

Recent Activity