Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Fingerprint sensor in iPhone 5S is no silver bullet, researchers say

Lucian Constantin | Sept. 11, 2013
The fingerprint sensor in Apple's new iPhone 5S has the potential to enhance the security of the device, but the devil will be in the details.

Research suggests as many as half of users never set up a four-digit PIN or a more complex password to lock their devices, Apple said during its presentation.

Rogers believes fingerprints could add great security if they're used in conjunction with other security credentials as part of two-factor authentication.

For example, Apple could allow users to set a strong, complex password that's used to encrypt the file system and which would need to be entered only when the device is switched on. The user's fingerprint could then be used as a medium-strength access credential to unlock the device when it's on and needs to be used. This would provide both security and convenience for users, Rogers said.

In addition, if Apple would allow other applications on the device to use the fingerprint sensor, it could increase the security of those applications. For example, a banking application could require users to authorize transactions by scanning their fingerprints, limiting what attackers can do if they steal those users' log-in passwords, he said.

Overall, the sensor has the potential to increase the security of the device, but it depends on implementation and whether consumers will actually use it, Christopher Pogue, director of security vendor Trustwave's SpiderLabs security research team, said via email. "It is key that consumers can easily understand how to use the sensor."

Like Rogers, Pogue believes that fingerprints would be most valuable if used as part of a two-factor authentication system.

"Like anything else that runs on a mobile device, the scanner itself is an application that interfaces with the underlying operating system and like other applications, regardless of function, there are vulnerabilities that exist due to a multitude of factors," Pogue said. "This application will likely be no different, and exploits will certainly be forthcoming if not already here."

Unlike a password, a fingerprint is not something a person can forget or share with someone else, so in that regard it provides stronger access control than a password, Pogue said. However, there has to be a failsafe mechanism to prevent the device owner from being locked out in case his fingerprint is modified as a result of an injury, for example, he said. "It's this 'back door' access that, if present, would likely lead to unforeseen security vulnerabilities."

Security best practices indicate that access control should always use at least two factors: "something you know," like a password or PIN; "something you have," like a physical token device; or "something you are," like a biometric feature, including fingerprints, Pogue said. Adding an additional layer of defense makes unauthorized access to the device through that mechanism exponentially more difficult, he said.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.