News·Analysis

Fingerprint scanning a balance of security and convenience: Dan Misener

Before Apple announced the iPhone 5S and TouchID, its fingerprint authentication feature, a U.S. magazine columnist predicted such a system could be easily fooled. And just yesterday, a hacker collective proved him right. Fingerprint scanning isn't infallible, writes Dan Misener, but it remains superior to passcodes in keeping your smartphone safe.

Hacker collective announced it has broken into new iPhone 5s

Immediately after the release of Apple's new iPhone 5s on Sept. 10, hackers set about breaking its fingerprint scanner. (Marcio Jose Sanchez/Associated Press)

Bruce Schneier nailed it.

Before Apple announced the iPhone 5S and TouchID, its fingerprint authentication feature, Schneier predicted that such a system could be easily fooled.

"Almost certainly," he wrote in a Wired opinion piece, "I'm sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability — or maybe just a good enough printer — can authenticate his way into your iPhone."

A few days later, as if on cue, members of the European hacker collective Chaos Computer Club claimed to have done just that, posting a video documenting their hack.

The steps they took are detailed on their site, but essentially, the hackers took a high-resolution image of a fingerprint, printed out a high-resolution mirror image and poured a layer of latex over top. Once it dried, the resulting fake fingerprint was capable of unlocking a phone.

The hack is a high-resolution update of a well-known and often-documented technique that's been used to fool fingerprint sensors for years.

Svetlana Yanushkevich isn't surprised by the hack. Yanushkevich is with the Biometric Technologies Laboratory at the University of Calgary, and has followed the story along with her students.

"Every time you get a new technology, somebody will try to prove that it's not good enough," she says. "It's possible to fool a voice recognition system. It's possible to fool a face recognition system, because you can present a very good photograph of the person to the camera. There always will be someone who wants to prove it wrong."

Better than nothing

So, if the new iPhone's fingerprint security is hackable, why use it?

A graphical illustration of how to fake a fingerprint, according to the process used by the hacker collective the Chaos Computer Club, which was able to fool the fingerprint sensor on the new iPhone 5S. (CBC)

Because it's considerably more secure than a four-digit passcode. And it's way more secure than what most people do to secure their smartphones, which is nothing. Apple claims that "more than 50 percent of smartphone users don't use a passcode."

So, if the goal is to get more smartphone users to do something rather than nothing about the security of their electronics, fingerprint sensors can help.

For me, this story is a good reminder of the trade-off between security and convenience. With any authentication technology, you give up one to get the other. The trick is finding the right balance.

Yanushkevich told me that biometrics like fingerprints, voiceprints and retina scans contain much more information than a four-digit phone passcode or a traditional password. Depending on the implementation, they can be significantly more secure. But, she says, these features are most effective in combination.

"You can combine passcode and fingerprint to have several levels of security," she explains. "This is something that we call in research work 'fusion.' Fusion will always increase the confidence levels that help you make your decision about acceptance or rejection."

Combining biometrics and passcodes may be more secure, but again, there's a tradeoff between convenience and security. In a world where more than half of smartphone users don't even use a passcode, there seems to be a strong preference for convenience.

What's next

Today, Apple's TouchID fingerprint scanner is only available on the brand new, top-of-the-line iPhone. I suspect that over time, this feature will trickle down to their other products. I'll be amazed if many other smartphone manufacturers don't start adding fingerprint sensors to their mass-market phones.

I asked Yanushkevich what she thinks is next.

"We can expect that the face biometric or iris biometric will be used on the mobile devices. That's our prediction."

Eyeballs. Great. I can't wait to start worrying about a thief copying my eyeball to gain access to my phone.

ABOUT THE AUTHOR

Dan Misener

CBC Radio technology columnist

Dan Misener is a technology journalist for CBC radio and CBCNews.ca. Find him on Twitter @misener.