Sign in with
Sign up | Sign in

How Secure Is the New iPhone's Fingerprint Security?

How Secure Is the New iPhone's Fingerprint Security?
By

The biggest news from Tuesday's (Sept. 10) Apple's iPhone 5s — from a security perspective, at least — is that it will let users unlock their phones using their fingerprints instead of passcodes.

Called Touch ID, the feature can also be used to authorize App Store and iTunes purchases on the device, activities that until now have required typing in Apple passcodes.

The Touch ID is a result of Apple's 2012 purchase of AuthenTec, a company that specializes in biometric identification, which uses physical features such as fingerprints, retinas and faces as security authentication. 

MORE: iPhone 5S vs Samsung Galaxy S4: What Should You Buy?

On the iPhone 5S, the fingerprint sensor is built into the Home button below the screen, and consists of a thin sapphire lens over a sensor with a resolution of 500 pixels per inch.

This sensor scans your fingerprint and makes a high-resolution image of it.

But coolness factor aside, how does Touch ID's security compare with other ways of locking a smartphone?

Apple phone security

When locked with an alphanumeric passcode, Apple smartphones might be the most secure devices on the commercial market, according to a report from German magazine Der Spiegel on the NSA's smartphone surveillance capabilities.

That security comes in part from the devices' use of the Advanced Encryption Standard (AES) algorithm. Each iPhone is encrypted using a unique AES key comprised of 256 randomly chosen ones and zeroes, or "bits."

Each phone's 256-bit AES key is stored locally on the device's memory, where it is itself encrypted. The key to decrypt the phone's AES key is the user-selected passcode that unlocks the phone's screen.

To use a fingerprint instead of a passcode on an iPhone 5S, you'll first have to let the iPhone turn that print into a unique string of digits.

"Over the last 10 years, mathematical techniques have been developed, called fuzzy hatching and secure sketch, that can extract a key from a biometric in a reliable way," said Nasir Memon, a professor of computer science at Polytechnic Institute of New York University.

MORE: 7 Computer Security Fixes to Make Right Now

These digitizing methods turn a fingerprint into a string of about 30 to 40 ones and zeros, or bits. This is the equivalent of five or six characters on a keyboard.

Better than nothing?

Theoretically, Memon said, that means a fingerprint is as secure as a five- or six-character alphanumeric password, but in practice a fingerprint is probably more secure. Most people use weak passwords that incorporate words or important numbers and are therefore easier to guess than a random set of characters.

Furthermore, with a fingerprint there's no chance of someone looking over your shoulder to get your password.

For the more than 50 percent of iPhone owners who don't use a passcode at all, Touch ID might be just the thing, said Shuman Ghosemajumder, vice president of operational security at Shape Security in Mountain View, Calif.

"Considering the amount of valuable data we keep on our devices, if the use of fingerprints will result in a much higher number of people [locking their phones] … that does create better security for a very large number of people," Ghosemajumder told Tom's Guide.

Other security experts are more skeptical.

"[Touch ID] is only better than nothing if it doesn't expose you to risks that 'nothing' doesn't expose to you," tweeted Matt Blaze, a University of Pennsylvania cryptography researcher.

Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

Display all 4 comments.
This thread is closed for comments
  • 0 Hide
    Simon MacArthur , September 13, 2013 1:19 PM
    Knowing Apple, your fingerprint is probably being sent directly to the NSA for filing, just in case.....
  • 1 Hide
    jskitt2000 , September 15, 2013 8:46 PM
    @Simon MacArthur.....According to Apple, the fingerprint/s are stored locally, on the A7 chip only. So theoretically, if the device is encrypted locally, and the encryption key is also encrypted on the devices only, then NSA will not have access to it. Now, if there is a back door built in for the NSA....thats another story!
  • 0 Hide
    jskitt2000 , September 15, 2013 9:12 PM
    @Simon MacArthur.....According to Apple, the fingerprint/s are stored locally, on the A7 chip only. So theoretically, if the device is encrypted locally, and the encryption key is also encrypted on the devices only, then NSA will not have access to it. Now, if there is a back door built in for the NSA....thats another story!
  • 0 Hide
    jgreenfield61 , October 3, 2013 8:26 PM
    The real issue is how well we trust Apple to not give others access to the phones. I'd like some independent entity we trust to test, analyze, and verify the security of the device - maybe two or three entities would be even better. If they all come up with the same positive conclusion, we'd all be more comfortable.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS