Skip to main content

How Secure Is the New iPhone's Fingerprint Security?

How Touch ID works

The biggest news from Tuesday's (Sept. 10) Apple's iPhone 5s — from a security perspective, at least — is that it will let users unlock their phones using their fingerprints instead of passcodes.

Called Touch ID, the feature can also be used to authorize App Store and iTunes purchases on the device, activities that until now have required typing in Apple passcodes.

The Touch ID is a result of Apple's 2012 purchase of AuthenTec, a company that specializes in biometric identification, which uses physical features such as fingerprints, retinas and faces as security authentication. 

MORE: iPhone 5S vs Samsung Galaxy S4: What Should You Buy?

On the iPhone 5S, the fingerprint sensor is built into the Home button below the screen, and consists of a thin sapphire lens over a sensor with a resolution of 500 pixels per inch.

This sensor scans your fingerprint and makes a high-resolution image of it.

But coolness factor aside, how does Touch ID's security compare with other ways of locking a smartphone?

Apple phone security

When locked with an alphanumeric passcode, Apple smartphones might be the most secure devices on the commercial market, according to a report from German magazine Der Spiegel on the NSA's smartphone surveillance capabilities.

That security comes in part from the devices' use of the Advanced Encryption Standard (AES) algorithm. Each iPhone is encrypted using a unique AES key comprised of 256 randomly chosen ones and zeroes, or "bits."

Each phone's 256-bit AES key is stored locally on the device's memory, where it is itself encrypted. The key to decrypt the phone's AES key is the user-selected passcode that unlocks the phone's screen.

To use a fingerprint instead of a passcode on an iPhone 5S, you'll first have to let the iPhone turn that print into a unique string of digits.

"Over the last 10 years, mathematical techniques have been developed, called fuzzy hatching and secure sketch, that can extract a key from a biometric in a reliable way," said Nasir Memon, a professor of computer science at Polytechnic Institute of New York University.

MORE: 7 Computer Security Fixes to Make Right Now

These digitizing methods turn a fingerprint into a string of about 30 to 40 ones and zeros, or bits. This is the equivalent of five or six characters on a keyboard.

Better than nothing?

Theoretically, Memon said, that means a fingerprint is as secure as a five- or six-character alphanumeric password, but in practice a fingerprint is probably more secure. Most people use weak passwords that incorporate words or important numbers and are therefore easier to guess than a random set of characters.

Furthermore, with a fingerprint there's no chance of someone looking over your shoulder to get your password.

For the more than 50 percent of iPhone owners who don't use a passcode at all, Touch ID might be just the thing, said Shuman Ghosemajumder, vice president of operational security at Shape Security in Mountain View, Calif.

"Considering the amount of valuable data we keep on our devices, if the use of fingerprints will result in a much higher number of people [locking their phones] … that does create better security for a very large number of people," Ghosemajumder told Tom's Guide.

Other security experts are more skeptical.

"[Touch ID] is only better than nothing if it doesn't expose you to risks that 'nothing' doesn't expose to you," tweeted Matt Blaze, a University of Pennsylvania cryptography researcher.