iPhone 5S Fingerprint Scanner: A Security Researcher's Perspective
Apple today announced the long awaited iPhone 5S and iOS 7. The new smartphone packs a lot of new specs, but the star of the show from a security researcher’s perspective was undoubtedly the biometric fingerprint scanner, Touch ID . While the API for the scanner is not currently open, the implications of the technology could be huge for the adoption of two factor authentication beyond the enterprise.
As mentioned in FortiGuard’s Midyear Threat Report, two-factor authentication (2FA) is expected to replace the single password sign on security model. While adoption of 2FA has seen some mainstream usage in applications like Twitter, Dropbox, Evernote, and Facebook, it has yet to fully replace the convenience of single factor.
After Apple’s announcement, we asked our threat research team what they thought of this biometric introduction:
Guillaume Lovet, Sr. Manager, FortiGuard Threat Response had this to say:
“From the point of view of a cybercriminal who has trojanized your phone, there is little difference between a fingerprint and a password. If the device is compromised, it can intercept and reuse the digital form of both (say, to complete a money transfer), which boils down to a series of 0s and 1s.”
While Apple claims there to be a dedicated stronghold within the new A7 processor where this data will be stored, a breach into that secure layer would usher the biometric authentication method complete useless.
“From a security point of view, it would be interesting to check if fingerprints carry enough information bits to be used more like a private key (likely protected by a password), that you cannot lose, don’t have to generate and is kind of universal.”
While the fingerprint scanner packs quite a punch at 170 micron thin 500 ppi resolution and the ability to scan sub epidermal skin layers, if the information is stolen, the possibility of using the data like a private key would be moot.
Axelle Apvrille, FortiGuard’s resident cryptology expert and mobile researcher has explored the pitfalls of 2FA here: Zitmo Hits Android.
Richard Henderson, a security strategist for FortiGuard Labs, voiced some advice on the topic:
“The reality here is that, while Apple is the first to implement a biometric method of authentication on such a wide scale, this is being sold and used strictly as a convenience - not as an additional layer of security.”
Let us know what you think!
For more on 2FA check out The Password as you Know it is Dead