Shortly after the launch of the new iPhone 5S, my old friend Rob emailed me trying to goad me into writing a post about it. After all, it was made by one of my least favourite companies and it contained a supposedly funky bit of kit in the shape of its fingerprint scanner. Rob pointed to the BBC article where they asked: “Could iPhone’s fingerprint sensor help kill off passwords?” and speculated whether that would be enough to get me to rant ^W comment.
I responded that biometrics had been well covered for a long time by many others and I didn’t think there was much to add that hadn’t already been said. I particularly liked a comment by Schneier back in 1998 where he said:
“Here’s another possible biometric system: thumbprints for remote login authorizations. Alice puts her thumbprint on a reader embedded in the keyboard (don’t laugh, there are a lot of companies who want to make this happen). The computer sends the digital thumbprint to the host. The host verifies the thumbprint and lets Alice in if it matches the thumbprint on file. This won’t work because it’s so easy to steal Alice’s digital thumbprint, and once you have it it’s easy to fool the host, again and again. Biometrics are unique identifiers, but they are not secrets.
Which brings us to the second major problem with biometrics: it doesn’t handle failure very well. Imagine that Alice is using her thumbprint as a biometric, and someone steals it. Now what? This isn’t a digital certificate, where some trusted third party can issue her another one. This is her thumb. She only has two. Once someone steals your biometric, it remains stolen for life; there’s no getting back to a secure situation. (Other problems can arise: it’s too cold for Alice’s fingerprint to register on the reader, or her finger is too dry, or she loses it in a spectacular power-tool accident. Keys just don’t have as dramatic a failure mode.)”
As I said, what’s to add? It’s just another apple gimmick (and as Schneier said “Don’t laugh, there are a lot of companies who want this to happen.”)
Rob tried again a couple of days ago when he emailed me this link to a page which put together a list of potential rewards offered to the first person or persons to crack the iPhone fingerprint scanner.
I’m sure he will be delighted to read the El Reg report today that the German Chaos Computer Club claim to have cracked it.
So I’ve posted this just for him.