I came across an article today that demonstrates a compromise of the new Apple 5S fingerprint reader:
In other words, a copy of your fingerprint is your fingerprint. And as Johannes discussed in the first article on this (https://isc.sans.edu/forums/diary/In+Defense+of+Biometrics/16553/), the screen on your phone is one of the better fingerprint collectors out there !
For me, this brings up both sides of "the fingerprint discussion"
- You can't change your fingerprints – once a real copy of them are compromised, they are compromised forever
- A representation of your fingerprint is stored on the device. So if the device is lost or stolen, this representation could be used to compromise other things, if they use the same representation of your fingerprint (ie – any other device that uses the same manufacturer's hardware). Again, once stolen, they are stolen forever.
- After a couple of years, you'll likely trade your phone in for a new one, and today there isn't a way to know that a wipe of the phone wipes the saved representation of your fingerprint
- Your fingerprint may be backed up with your phone backup. Historically, your phone's backups have been easier to pillage than your phone.
- If your phone is damaged, you may not have a way of wiping it
On the other hand:
- On any given day, using your fingerprint is likely MUCH more secure for you than the 4 digit code you are likely using
- Since your phone code likely matches either your phone number or your bank code, either it's very easy to guess, or compromising it might have other unpleasent consequences for you.
There's lots of discussion on this online, I think we're still waiting on Apple to respond definitively on any of them.
Anyway, none of these arguments are new, we've been round and round on them anytime these last 10 years, since they started putting readers on laptops for login. What's changed is that there are way more phones than there are laptops, and in most cases the 4 digit unlock code on your phone is all that protects your chequing account, your facebook, paypal, twitter and email accounts.
So, am I using my fingerprints yet? Not on any of my laptops, but once I upgrade my 4S to the new model, it'll be awfully tempting to take the plunge – I guess I'm still thinking about it. If Apple would implement a "fingerprint + PIN" two factor authentication solution, it'd be an easier decision.
We welcome your comments in our discussion forum (comment button below).
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.