The new fingerprint reader on the iPhone 5s is just a button. It may not be the first time you have used a fingerprint reader. It also isn’t the first one on a phone. The news reports are out demoing how to hack TouchID with copies of my prints and more. Frankly these are all over done. All I know is I am thankful. It’s better than the four digit password I was using before (many times a day) and my phone now has a much more complicated password as an alternative. Is there some technique to using it? Yes, and I’m changing my hard button pressing ways. The following quote (read the article for common sense) sums up the hacking and points to the two factor authentication approaches to come.
Imagine a banking application where on startup you use a fingerprint for convenience – it’s nice and quick and only needs to ensure the right person has started it. However as soon as you want to do something sensitive like check a balance or transfer some funds we kick it up a notch by asking for a two factor authentication – the fingerprint and a 4 digit pin. This combination is strong enough to protect the user against most scenarios from physical theft through to phishing attacks.
Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. | The Official Lookout Blog.
Was it worth buying an iPhone 5S for? (Certainly if registered for the developer program). Perhaps not as an upgrade from a iPhone 5, although after using TouchID you see other log-in and authentication systems differently. For example until now I alway preferred my Galaxy’s dots and swipe approach. TouchID is faster. I trust this will reduce the number of people (about half apparently) stupidly walking around without pass codes on their phones.
At the consumer end I suspect the demo’s will be fairly compelling after you understand this point (my bold).
Touch ID has nothing to do with clicking the button, and there should be almost no delay. Certainly not two seconds. You don’t need to press and hold the button to get it to scan your finger. You just rest your finger on the sensor — no click necessary — and it works. When the phone is asleep, you do need to wake it up, so you can do that with a click of the home button and then just keep your finger on the button, resting without pressing. There is no race condition with the press-and-hold action to activate Siri.
via Daring Fireball Linked List: Dustin Curtis on the iPhone 5S.
So… what happened… for good or bad. Millions of people became acquainted with a fingerprint reader and are now using it daily. They aren’t thinking about it too much. It became the new norm. In a year or two years that is likely to be 10′s (100′s?) of millions. Time for the discussion to move towards what developers can actually do with it. I’d also like to see some identity experts chime in as this may introduce new options for managing personal clouds.
Last words:
TouchID was designed to counter the top two threats (acquaintances and common thieves), not sophisticated criminals. Those in the third threat class are not going to be stopped by either a passcode or a fingerprint because they have other ways of getting that data.
via Threat Modeling Against Apple’s TouchID | Daniel Miessler.