As you've probably heard by now, Apple's Touch ID—the technology behind the iPhone 5s's new fingerprint scanner—was circumvented over the weekend by a group of German security researchers. With little more than the kind of supplies you'd find in the home of your average computer enthusiast, the hackers claim to have fooled the sensor on their brand-new handsets into accepting a fake fingerprint that had been photographed at high resolution, printed out, and transferred to a piece of latex.
If true, this trick appears to cast some serious doubts on just how effective Touch ID is at keeping your information secure from ill-intentioned third parties. But despite those concerns, you shouldn't discount the usefulness of Apple's fingerprint-based security system just yet.
Being, having, and knowing
As I mentioned in an article I wrote for Macworld back in August, the idea behind using fingerprints to unlock your phone is that they tie your data to something that uniquely identifies you in a physical way. Unlike a password, which can be guessed and cracked even if nothing is known about its user, biometric data like fingerprints is generally thought to be impossible to reproduce without having access to the original.
More to the point, fingerprints aren't supposed to replace your passwords so much as work alongside them. The idea is that even if hackers manage to guess your password, they still won't have the finger that goes along with it. Ideally, for added security, you'd even want to couple a fingerprint (something you "are") and a password (something you "know") with a third item that is in your possession, like an access card or a device capable of receiving SMS messages (something you "own").
From this point of view, then, the protection that Touch ID offers starts to look a bit iffy. As many have already pointed out, given how easily the German researchers were able to fool the iPhone's fingerprint sensor, it would be trivial for a thief who has physical access to your surroundings to take a picture of your prints and use them to unlock your phone. (Incidentally, if you're worried about leaving usable fingerprints right on your phone itself, one suggestion is registering a seldom-used finger, like your pinkie, to minimize the risk).
This scenario, however, has a few flaws for all but a relatively small portion of users. For one thing, even if a would-be thief could unlock your phone with a fake fingerprint, they would also have to get their hands on your iPhone for long enough to siphon all its information out, or, at the very least, for as long as it takes to change your iCloud password so that they could try to gain access to your backups, calendars, and e-mail accounts. This is not as simple as it sounds--at least, as long as the thieves aren't are known to the phone owner.
Sign up for CIO Asia eNewsletters.