Apple's Fingerprinting Helps Security, But It's Not Enough

Apple (NASDAQ:AAPL) has discovered the fingerprint. OK, Apple actually discovered the fingerprint in 2008, when it began filing patents for biometric security. But after five years and the acquisition of biometric authentication vendor AuthenTec, on Tuesday (Sept. 10) Apple finally unveiled an iPhone that can be unlocked with a fingerprint. Very impressive, and something Apple views as crucial for its eventual foray into mobile payments. The only problem? It's really not enough.

That's not a knock against AuthenTec or Apple. There's a fundamental problem with all fingerprint-based authentication—and the very reason it's so popular for law enforcement. The huge advantages of fingerprints over any traditional password or fob system are that (a) they're virtually unique, and (b) users aren't likely to lose, forget or get confused about them. The big problem with fingerprints? You leave copies of them virtually everywhere you go. That means the first thief who finally figures out how to use a copy to unlock an iPhone has made its fingerprint security useless.

Will that happen? There's every reason to believe it will, and the price of admission for this break-the-security contest is just the cost of a new iPhone 5S. Since they're all essentially alike, figuring out a technique that works on one can be applied to all of them. (It's the Microsoft monoculture security problem applied to phone unlocking.) Thieves will be able to experiment endlessly. As long as they don't damage the phone—which would ruin resale value anyway—they can try anything.

What will they try? Everything. They'll likely start with techniques that worked against the low-end fingerprint authentication that was popular on some laptop models a decade ago. Presumably AuthenTec's hardware and software are better, but so are the tools available to thieves. If a simple lifted fingerprint won't work, how about a 3-D version in latex, built up by a 3-D printer or etched into the latex by a computer-controlled laser cutter?

The question isn't whether the authentication will be cracked. As always with security, the only question is how expensive it will be to unlock any particular phone.

Of course, people in retail are jaded. Fingerprint authentication has had a very mixed history among retailers. But a phone is different from a point-of-sale terminal. Users own their phones. They trust their phones—often much more than they should.

That said—yeah, Apple's Touch ID is a neat hack. And it does solve a major problem for both retail app security and mobile payments (in case they ever take off): how to keep customers from walking around all day with their phones unlocked. The reason they do that is that keying in a PIN is just time-consuming enough to get old very quickly. The result is that users will set the timeout for the maximum they can—30 minutes, an hour, whatever the unlocking mechanism will allow them.

With a fingerprint, that's not necessary. A customer is going to have to lay a finger on the phone just to take it out. With essentially instant, one-touch authentication, users won't mind unlocking the phone all the time. And best way to keep card data, transaction information or anything else retail-related secure on a phone is to keep the phone locked.

That's an advantage to depending on fingerprint unlocking. The disadvantage? Things can go wrong.That's an advantage to depending on fingerprint unlocking. The disadvantage? Things can go wrong. Everyone knows they'll forget passwords, which is why they write them down. (Unfortunately, IT security people usually tell users not to write them down instead of suggesting ways the users can write down an obfuscated version that will mean nothing to anyone else but will immediately jog the user's memory.)

But if things go wrong with fingerprint recognition, what then? Maybe AuthenTec's technology is good enough to recognize the finger in question even if it's bruised or scraped up. But what if that finger is too painful for even the pressure of the iPhone's new self-authenticating home button? That ends up as a lockout, which admittedly is a user difficulty and not so much a security problem.

Then there's a very different way things can go wrong. One big problem right now with iPhones is that they're a popular target for thieves. Today, those are largely snatch-and-run thefts. In fact, Apple is touting the new fingerprint authentication as a way to make iPhones useless to thieves—without that fingerprint, they'll stay locked.

But that seems like it's based on a very generous estimation of thieves, doesn't it? Since every iPhone user has essentially the same password—"put finger on home button"—all a thief needs to do is keep trying different fingers on the victim until one works. That's a lot more dangerous for both thief and victim than snatch-and-run, but it's also unfortunately likely if snatch-and-run is no longer an option.

What's the solution? Don't depend on fingerprints, no matter how attractive the shiny new technology (which Android doesn't have) may be. Use two-factor authentication. And because things can go wrong with fingerprint recognition to make it unusable, why not two-out-of-three-factor authentication? A fingerprint, a PIN and a password probably represent enough variety to eliminate the "everyone just uses fingerprints" risk.

Other kinds of biometric ID, such as voiceprint or facial recognition, can work too. In fact, the greater the variety of authentication techniques, the more secure they all are if a user is only picking three and using two. The more options, the more possible combinations there are that a thief must try. For once, security through obscurity works.

But please, Apple—in the name of security, don't just rely on your fingerprint scanner. Yes, AuthenTec was expensive. Yes, the fingerprinting is a unique feature, and telling iPhone users not to use it alone makes it sound like it's not so great. But keep the PIN with the longer timeout. Tell app designers to use passwords if they're appropriate. Implement voice and face recognition if you can work the bugs out.

The goal isn't just to show you have a fancy new marquee technology. The goal is to keep the device secure. And if you double up on security with something besides fingerprint authentication alone, you'll be able to make sure thieves (and Android) can't lay a finger on you.