This content is part of the Essential Guide: Tips and tricks for ensuring mobile data security
News Stay informed about the latest enterprise technology news and product updates.

Apple iPhone 5s Touch ID's coolness overshadowed by concerns

The new Apple iPhone 5s Touch ID lets users access their phone with a fingerprint, but many are concerned with how that biometric data may be used.

The iPhone 5s Touch ID gives users a greater sense of device protection, but the biometric technology shouldn't be considered an enterprise-grade security feature.

In addition, there are concerns about how the fingerprint data may be used by Apple Inc., how it may be shared and the hacking risk.

I have witnessed biometric scanners defeated through the use of a Gummy Bear as a print mold.

David Reynolds,
certified ethical hacker

Apple's biometric-scanning technology is built into the home button and allows users to conveniently unlock a device using his or her fingerprint.

The fingerprint data is stored on the device chip in an encrypted format. Third-party applications can't access the fingerprint data, but it can be used to approve purchases from the iTunes Store, App Store, and iBooks store.

Touch ID is one of the reasons many purchased the new device; Apple sold a record-breaking nine million new iPhone 5s and iPhone 5c models just three days after the release on September 20, the company said.

Bring-your-own-device shops with employees in this early-adopter group must consider Touch ID's value, limitations and the risks.

Touch ID offers identification, not authentication

Several corporate iPhone users have reached out to Neohapsis, a mobile and cloud security services provider based in Chicago, to inquire about what the technology is capable of and the risks, said Gene Meltser, technical director for Neohapsis Labs.

"In the corporate world, security requirements are for robust systems authentication, not convenience," Meltser said. "Biometrics is not authentication; it is identification."

Indeed, Touch ID should be considered a convenience, not a security feature, said Jack Gold, principal analyst for J. Gold Associates, a technology industry analyst firm in Northborough, Mass.

"If you use it as the only main security feature, then you've got a problem," Gold said.

For a device to be secure, it has to support multifactor authentication; a combination of at least two of three components -- something the user has, like a physical token; something they know, like a password; and something they are, like biometrics, Meltser said.

"Biometrics itself is only one of those things, and fingerprints are everywhere," Meltser said. "To make it robust, it needs to be combined with something else -- a strong password that only you know."

Concerns over the use of biometrics were piqued when a hacker group reported that they easily broke into the fingerprint-protected phones. The German hacker group pointed out in its blog that fingerprints are left everywhere, "and it is far too easy to make fake fingers out of lifted prints."

The use of the fingerprint as a practical means of securing devices has long been the subject of debate, said David Reynolds, a certified ethical hacker and systems manager with Rhode Island Blood Center in Providence, R.I.

"I personally have witnessed biometric scanners defeated through the use of a Gummy Bear as a print mold," Reynolds said. But no system is impenetrable, he added. "It just has to be really impracticable for someone to break in to it."

And fingerprints are certainly more secure than the weak passwords that most people use. For the past two years, the top three most popular passwords have been "password," "123456," and "12345678," according to SplashData's 2012 list of the most common passwords used on the Internet and posted by hackers.

Fingerprint ID hacks require some sophistication and shouldn't be a major concern for most people, analysts said.

"Any secure system has vulnerabilities. No such thing has absolute security. It does not exist," Craig Mathias, principal at Farpoint Group, an advisory firm specializing in wireless and mobile technologies based in Ashland, Mass. "I prefer retina eye scans. You don't leave eye scans lying around."

Can Apple share biometric data?

Beyond the hacker threat, some are concerned about Apple's access to the fingerprint data and how the company might use or share it.

Minnesota Senator Al Franken raised these issues and others in a letter to Apple CEO Tim Cook last week. Some questions include whether it is possible to convert locally stored fingerprint data into a digital or visual format that can be used by others, whether fingerprint data can be extracted from the iPhone by anyone with access to the device or remotely, and whether the fingerprint data will be backed up to a users' computer when they connect their iPhone to it.

Franken asked Apple to assure its users that it will never share fingerprint data with anyone, particularly government agencies.

Craig Federighi, Apple's head of software, has publicly emphasized that the fingerprints do not leave the device and that the physical lines of communication in and out of the chip would not ever permit that to escape. And in the "Consent to Use of Data" section of Apple's iOS 7 user agreement, the company states that Apple may only use information that is collected in a form that does not personally identify the user.

That shouldn't set users minds at ease, though.

"Just because a company is saying they won't use it to identify you, it doesn't mean that it can't be compromised in some other way," Mathias said. "It's the same with credit cards. If I have your number on my computer, I can tell you that it's safe. But if someone hacks into my computer and steals it, then it's gone. "

Others simply don't trust corporations' promises that they protect user data.

"Everyone says that. Google, Amazon and Facebook say that," Gold said. "If you trust Apple in that nothing bad will come from this, then that's fine. But I don't trust any of these guys, especially with all breaches and the data that has been handed over to the NSA [National Security Agency] recently."

Meanwhile, mobile consultants advise clients not to rush and adopt any new technology.

"I always wait two weeks for a new update, because by then some bugs and issues will be sorted out," Mathias said.

Apple did not respond to a request for comment.

Dig Deeper on Apple iOS in the enterprise

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What about all the laptops with finger swipe capability?
What about every biometric door lock?

Come on, this isn't news- even the TouchID specific concerns have been mentioned. Fact is, Apple is not dumb enough to do anything shady with TouchID... They know that iOS7 will be jailbroken and completely dismantled within a few weeks, so it would not benefit them to ruin their reputation by doing sneaky stuff. If they do, we'll know soon enough.