Apple's TouchID Fingerprint Scanner: Still Hackable

← Back to Stories (view on slashdot.org)

Apple's TouchID Fingerprint Scanner: Still Hackable

Posted by Soulskill on Tuesday September 23, 2014 @09:58AM from the upgrade-your-thumb dept.

electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."

70 comments

Min score:

Reason:

Sort:

Other hackable things by BasilBrush · 2014-09-23 10:04 · Score: 4, Insightful

The summary mentions locks and keys as also being hackable. Also combination locks, face recognition, mag stripes, signatures, DRM, many forms of encryption, passwords, captchas, PINs, ATMs Online banking, credit cards. In fact there is precious little security that isn't hackable.
Of course this isn't going to stop people here ragging on TouchID.
1. Re: Other hackable things by AvitarX · 2014-09-23 10:33 · Score: 1
  
  The security feature I'd like to see is a way to with touch only turn off a phone that's locked ( for example the 5 quick clicks method on the power button most portable vaporizors tend to use) .
  This with a long password and whole disk encryption on boot
  I could then use sloppy security most of the time , ( 4 digit pin) ,but I could easily turn it off in my pocket before handing it over to a malicious actor ( law enforcement / theif) .
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
2. Re: Other hackable things by alen · 2014-09-23 10:52 · Score: 1
  
  But I can buy a new tv at best buy with your phone and a bloody finger and the cashier won't stop me
3. Re:Other hackable things by Anonymous Coward · 2014-09-23 11:06 · Score: 1
  
  The difference is that you don't *hack* a lock by copying the key, right? You tinker with the lock directly. Yet replicating ones fingerprint is somehow hacking...
4. Re: Other hackable things by DocSavage64109 · 2014-09-23 11:08 · Score: 2
  
  If you don't know which finger, you'd have to bring all 10 of them and hope nobody in line behind you gets impatient while you keep trying different ones.
5. Re: Other hackable things by pushing-robot · 2014-09-23 11:21 · Score: 4, Informative
  
  So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?
  You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.
  
  --
  How can I believe you when you tell me what I don't want to hear?
6. Re: Other hackable things by AvitarX · 2014-09-23 12:48 · Score: 1
  
  that's actually exactly what I meant, thanks for the info. I'd mod you up if I could.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
7. Re:Other hackable things by kelemvor4 · 2014-09-23 14:00 · Score: 1
  
  In fact there is no such thing as security that isn't hackable, except that made from finely ground unicorn horns
  FTFY. I'm the farthest thing in the world from an Apple fanboy, but how does this pass for news?
  
  In other news, shit still stinks.
8. Re: Other hackable things by Anonymous Coward · 2014-09-23 16:05 · Score: 0, Offtopic
  
  I could then use sloppy security most of the time , ( 4 digit pin) ,but I could easily turn it off in my pocket before handing it over to a malicious actor ( law enforcement / theif) .
  Just get an iPhone 6.
  By the time you get it out of your pocket, it'll be bent in half and unusable.
  
  It's been on shelves for a matter of days, but some iPhone 6 and iPhone 6 Plus users are complaining of a major design flaw that sees the smartphone body bend under pressure.
  Photos have begun appearing online showing distinctly bent aluminium devices, with complaints that the new iterations of the iPhone, which feature a thinner and larger aluminium body, are unable to stand up to the wear and tear of staying in a pocket.
  http://www.cnet.com/news/will-...
9. Re: Other hackable things by Noah+Haders · 2014-09-23 17:33 · Score: 2
  
  well yes, that works, but it's a two handed task that is hard to do on-the-sly. Also takes a couple seconds longer that is ideal when you have a knife to your chest or a tazer in your eye.
10. Re: Other hackable things by Anonymous Coward · 2014-09-23 19:10 · Score: 0
  
  What do you expect? The hardware's just not that good.
  The Galaxy S5, which is recognized as a robust phone, has a BOM of $251.52 per unit and costs $600 outright. The iPhone 6 has a BOM of $200 and an outright cost of $869.
  Basically, Apple is charging more and providing less. That's why they have such huge margins.
11. Re:Other hackable things by DrXym · 2014-09-24 00:07 · Score: 1
  
  Of course this isn't going to stop people here ragging on TouchID.
  I think it's quite reasonable to rag on it given that Apple are claiming they encrypt data on the phone. Maybe they do but if you can get at it with a fingerprint then it's not hugely more secure than before. Not that I would single out Apple for all the heat here - most phones are only protected by a short pin and even alternative authentication schemes are likely guessable in some way - e.g. Microsoft's photo login and Google's pattern unlock can probably be inferred just by looking at the finger smears on a screen.
12. Re: Other hackable things by tlhIngan · 2014-09-24 02:56 · Score: 2
  
  well yes, that works, but it's a two handed task that is hard to do on-the-sly. Also takes a couple seconds longer that is ideal when you have a knife to your chest or a tazer in your eye.
  Actually, given you must use a passcode if you fail TouchID 3 times in a row, all you need to do is use the tip of your finger or palm of your hand 3 times.
  Remember, the rules for TouchID:
  1) Must use passcode on boot
  2) Must use passcode if TouchID not used within previous 48 hours
  3) Must use passcode if TouchID fails 3 times in a row.
  The passcode is always the fallback and always good to make more secure than 4 digits because you aren't entering it all the time.
  A lot of people don't have passcodes because it's inconvenient to enter it to unlock your phone to glance at information (studies have shown that interaction times for phones is generally on the order of 1 minute or less). With TouchID, you can have not only just a PIN, but a "complex passcode" that's full alphanumeric+special characters + longer than 4 characters. But that's even more of a pain to enter.
  so just tap the sensor on the edge 3 times and you'll lockout TouchID.
13. Re: Other hackable things by microhax · 2014-09-24 05:10 · Score: 1
  
  That's easy, just remove the bones and wear them on your own fingers.
Indeed by Cloud+K · 2014-09-23 10:05 · Score: 4, Insightful

It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
People who go to these lengths would surely be either:
Really determined for some reason (in which case they'd probably social engineer it out of you or something)
People who'd just cut your finger off
The police (at which point they've already obtained your phone and fingerprint)
The NSA (who probably already have a backdoor)
Either way, it's more secure than your typical 4 digit PIN or pattern unlock.
If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
1. Re:Indeed by jfengel · 2014-09-23 10:28 · Score: 4, Funny
  
  If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
  Correct!
2. Re:Indeed by Charliemopps · 2014-09-23 11:08 · Score: 1
  
  It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
  People who go to these lengths would surely be either:
  Really determined for some reason (in which case they'd probably social engineer it out of you or something)
  People who'd just cut your finger off
  The police (at which point they've already obtained your phone and fingerprint)
  The NSA (who probably already have a backdoor)
  Either way, it's more secure than your typical 4 digit PIN or pattern unlock.
  If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
  No, it wont even protect you from your spouse.
  All you need is a photocopy of the owners thumb.
  Your thumb print is conveniently all over the phone.
  I've seen these cracked by placing a clear piece of plastic over the screen... stenciling the print, put the clear plastic on a copier, xerox... hold copy to phone. Viola. Finger print recognition is banned where I work for a reason.
3. Re:Indeed by AmiMoJo · 2014-09-23 13:18 · Score: 1
  
  You shouldn't keep your credit card details on your phone in plaintext anyway. Contactless payments don't need to store them in a readable format.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re: Indeed by Anonymous Coward · 2014-09-23 17:29 · Score: 1
  
  There are different fingerprint sensors. Your method wouldn't work on an iPhone as it would need an optical scanner. The iPhone scanner works by measuring electrical field variations.
5. Re:Indeed by Cloud+K · 2014-09-24 22:33 · Score: 1
  
  If your spouse is going to the lengths of covertly grabbing your phone, placing plastic over your screen, making sure you don't notice it, grabbing it again when you've used it, removing the plastic and taking it to a copier..
  1) What an awesomely geeky spouse, where do I find one? Or do I just marry a copper?
  2) You have much bigger problems to worry about than the security of your fingerprint scanner. But you might want to search for your divorce solicitors using Private Browsing on a throwaway pay-as-you-go phone and throw it into the canal afterwards. Just in case.
Yeah, but... by Anonymous Coward · 2014-09-23 10:07 · Score: 0

The types of locks we use on our doors only keeps honest people out.
Oh, and one more thing... by Anonymous Coward · 2014-09-23 10:13 · Score: 0

They forgot to mention the part about having access to the actual phone.
Law Enforcement by organgtool · 2014-09-23 10:16 · Score: 4, Insightful

This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
1. Re:Law Enforcement by rsborg · 2014-09-23 10:54 · Score: 1
  
  This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
  Exactly - those prints they have on file for you from many years ago should perfectly translate into TouchID-compliant proofs. They likely already stocked up on latex milk and the various things that CCC used.
  
  --
  Make sure everyone's vote counts: Verified Voting
2. Re:Law Enforcement by pushing-robot · 2014-09-23 10:56 · Score: 1
  
  Per XKCD, it's far more likely they'd forcibly put each of your fingers on the phone than do something elaborate with your printed fingerprints.
  However— IIRC there's a lockout after a certain number of attempts, and IIRC from the first video it can take several tries to fool the sensor. So with ten fingerprints to choose from, not to mention different *parts* of each finger you could have used, it's less than probable they would succeed.
  (And the look on the officer's face when he realizes you used your nose: Priceless.)
  
  --
  How can I believe you when you tell me what I don't want to hear?
3. Re:Law Enforcement by santiago · 2014-09-23 11:02 · Score: 4, Interesting
  
  They better hurry, too. TouchID gets locked out after powering off the phone, 48 hours of inactivity, or a few failed attempts. After any of those, it will only respond to the passcode.
4. Re:Law Enforcement by vux984 · 2014-09-23 11:21 · Score: 1
  
  This will likely make life even easier for law enforcement
  Your right.
  I can either go with a 4 digit PIN which is far more vulnerable to the look-over-the-shoulder or look at the dirty screen attack that low level criminals will use.
  Or I can go with a fingerprint which will defeat them, but can be extracted from me by law enforcement.
  Or I can go with a 40 key passphrase and be pretty safe from both groups -- but then I have to enter a 40 key passphrase before I can reply to a text message or check a new email.
  What do you propose?
5. Re:Law Enforcement by praxis · 2014-09-23 11:33 · Score: 2
  
  I propose setting a nine digit password, enabling touch ID and disabling responding to texts on a lock screen.
  Nine digit password is better than four because it is quick to enter when you need to enter it, the length is unknown to an attacker and is less vulnerable to the dirty screen attack. The touch ID can be extracted by law enforcement but using the left middle finger or other less-common touch ID finger means they might run into the failed attempt limit before they get the right finger. Not having to unlock your phone to respond to a text message is convenient but I would disable that because you don't want someone pretending to be you (e.g. a cop responding to a text with "I have the dope ready for delivery" and then using that as probable cause to arrest you).
6. Re:Law Enforcement by Anonymous Coward · 2014-09-23 11:41 · Score: 1
  
  This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
  I'm curious to know how many non-techy people actually set PINs. When TouchID was announced, it was claimed by Apple that most folks don't / didn't.
  Also, it is mandatory to enter the PIN if your iPhone has been restarted (since the PIN is tied into the crypto key), if it's been more that 48 hours since it's been unlocked, or when entering the Touch ID & Passcode settings area.
  I don't think anyone is claiming TouchID is good enough to protect nuclear launch codes, but it's better than nothing, which is what a lot of folks supposedly had previously.
7. Re:Law Enforcement by viperidaenz · 2014-09-23 11:54 · Score: 1
  
  You could just get a users finger prints from the screen of the device.
8. Re:Law Enforcement by vux984 · 2014-09-23 11:55 · Score: 1
  
  I actually use a galaxy s5, I've already got a good reasoable length 'alternate passphrase'.
  I do very much like your advice about using a less frequent finger. Not only does that make it take longer, but one of the obvious sources for a fingerprint to use for the phone is the surface of the phone itself. So using your main index finger to unlock it, and then tapping it all over your screen ... the modern equivalent of putting a bunch of post-it notes with your password on your phone. With a less used finger, the print might still be there... but odds have shifted in your favor.
  The s5 however does not require passphrase afterboot up. (I'm not sure how much of a big deal that is.) Nor do I see a setting to adjust the number of failed tries, or the lockout timer -- as it stands I get 5 tries, and then a 30 second lockout...then 5 more tries... it doesn't appear to ever fail completely over to pass phrase. (Anyone else know otherwise?!)
9. Re:Law Enforcement by jxander · 2014-09-23 12:17 · Score: 1
  
  Keyboard password with an altered letter... é ò ñ... one of those or something similar.
  
  --
  This signature is false.
10. Re:Law Enforcement by brantondaveperson · 2014-09-23 12:30 · Score: 1
  
  The s5 however does not require passphrase afterboot up. (I'm not sure how much of a big deal that is.)
  I take this to mean that if you can reboot the thing, which you can always do by letting the battery run flat and then charging it, you can access the device without the passphrase. If true, this would be a huge deal. Have I misunderstood?
11. Re:Law Enforcement by John+Bokma · 2014-09-23 12:40 · Score: 1
  
  not to mention different *parts* of each finger you could have used
  or penis...
  
  --
  
  Perl Programmer for hire
12. Re:Law Enforcement by Noah+Haders · 2014-09-23 12:43 · Score: 1
  
  he likely meant that upon reboot you can use the fingerprint thing right away, whereas on the iphone upon reboot you need to put in your pin before the fingerprint thing will work. although i like the tone of your mesage.
13. Re:Law Enforcement by AmiMoJo · 2014-09-23 13:21 · Score: 1, Informative
  
  Law enforcement use special bags to keep the phone powered up. The bag is basically a Faraday cage so that the phone can't be remote wiped, and has a charging cable built in to prevent the phone being powered off.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
14. Re:Law Enforcement by Wrath0fb0b · 2014-09-23 14:32 · Score: 2
  
  Do these bags simultaneously keep the phone powered on while preventing the internal clock from advancing? If so, I think there's some folks in Sweden that would like to award the creator some very nice jewelry.
15. Re: Law Enforcement by Anonymous Coward · 2014-09-23 17:41 · Score: 0
  
  No you couldn't. Fingerprints are smudged on a touch device. Not clear enough.
16. Re:Law Enforcement by vux984 · 2014-09-23 19:01 · Score: 1
  
  I take this to mean that if you can reboot the thing, which you can always do by letting the battery run flat and then charging it, you can access the device without the passphrase
  After a reboot I can login either by fingerprint or by passphrase. With the iphone my understanding is that the passphrase must be used the first time before it will allow a fingerprint.
  Again, I am not sure exactly what exactly the real security advantage of that is though.
17. Re:Law Enforcement by Anonymous Coward · 2014-09-23 23:37 · Score: 0
  
  The pin is most likely fed into a key derivation function to decrypt the encryption keys for the file system, which would be stored in memory until reboot.
18. Re:Law Enforcement by gnasher719 · 2014-09-24 00:28 · Score: 1
  
  This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
  I quite suspect that taking a fingerprint by force will make any evidence found impermissible. And it is very easy to prove that you took a fingerprint by force: All the accused has to do is say that you did in court, hand over their phone, and if the police don't have the passcode (which they wouldn't) the accused's story must be true.
Laser? Try Gummy Bears by Anonymous Coward · 2014-09-23 10:17 · Score: 1, Interesting

About 10 years ago I read a story about a Jr. High school in Australia (ages 13-15) that had set up finger print readers at all the computers. Attendance was taken by students logging into a classrooms computers. This was all fine until one day the teacher needed a number of students to do a task. The attendance showed everyone there, but in reality more than half were truant. One student was covering up something, and the nosy teacher pulled off the paper to find..... candy gummy bears. "I was hungry" But that wasn't it at all. The teacher noticed the bears were half round with names beside them. Press finger into bear, then flip inside out and wrap around another finger (or a pencil). Insert into reader, logged in. Use lasers if you want, but that's doing it the hard way.
On screen by Anonymous Coward · 2014-09-23 10:20 · Score: 0

Fingerprints can be found all over the smartphone screen. I don't think you stick your key shape on your door.
1. Re: On screen by Anonymous Coward · 2014-09-23 17:44 · Score: 0
  
  Not fingerprints. Parts of fingerprints mostly smudged. Worthless
Re:Laser? Try Gummy Bears by rsborg · 2014-09-23 10:56 · Score: 1

About 10 years ago...
Clearly technology in fingerprint scanners could never have improved since then.

--
Make sure everyone's vote counts: Verified Voting
Yes by Anonymous Coward · 2014-09-23 11:00 · Score: 2, Interesting

and it is much easier to take a peek at my screen one of the 20 times a day I type in my 4 digit code than to fake the fingerprint.
Re:Laser? Try Gummy Bears by narcc · 2014-09-23 11:10 · Score: 1

Well, it doesn't appear to have improved...

--
Required reading for internet skeptics
Don't use the forefinger or thumb by rolfwind · 2014-09-23 11:17 · Score: 1

And a different hand than you usually hold it with. Should be good enough if the phone is just randomly lost.
I wonder if you have to use the end of a finger or could use the "print" on the middle or proximal phalanx?
Sudden outbreak of common sense by sootman · 2014-09-23 11:24 · Score: 4, Insightful

"We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
Thank you, submitter and Slashdot, for not going for sensationalism and leaving this out of the summary.

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
1. Re:Sudden outbreak of common sense by Anonymous Coward · 2014-09-23 17:55 · Score: 1
  
  Yes, exactly. That's why it's important to have a society where laws cover these situations. My house happens to have a glass door on the patio that could be "hacked" with a simple medium-sized rock. And I bet most people have easily accessible windows. But there's a reason why we don't worry about people easily breaking our windows and taking our stuff.
2. Re:Sudden outbreak of common sense by Anonymous Coward · 2014-09-23 20:59 · Score: 0
  
  ... "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
  
  Yes, locks deter the opportunistic thief, not the skilled burglar or psychotic criminal. But locks tend to leave evidence of their failure: A smashed window or door. Contrary to the movies, few criminals can lock-pick a decent door lock. But what evidence does a biometric lock produce when it's been cracked? This is problem 2 with biometric locks. Problem 1 being the key (namely you) can't be changed. Problem 3, shown on a 'NCIS' episode, is that a master key may be invisibly coded into a biometric lock.
3. Re:Sudden outbreak of common sense by Anonymous Coward · 2014-09-24 01:48 · Score: 0
  
  "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
  Thank you, submitter and Slashdot, for not going for sensationalism and leaving this out of the summary.
  Exactly. Who are we actually trying to protect against? Who are all these hackers waiting to get into my email and see pictures of my cat? There is reasonable and then there's simply paranoid. If you carry more sensitive data on your phone then yeah a long passphrase and maybe even disabling TouchID is an idea, but 90% of people don't have anything that people care about and if they did, the odds of someone finding their phone and being one of these people that can replicate your fingerprint is vanishingly small. Most people are good and will try to return the phone, and if not they will wipe it and use it since they don't care about your data.
4. Re:Sudden outbreak of common sense by Anonymous Coward · 2014-09-24 04:32 · Score: 0
  
  "We use locks on our doors to keep criminals out not because they are perfect, but [snip]
  Exactly. Who are we actually trying to protect against?
  1. Law enforcement.
  2. Family members
  3. Muggers
  4. Your friends at the bar when you go to the bathroom
  How does it do against each attack? How does it compare to alternative security?
  (1) has many obvious options:
  - force your finger onto the device, go fishing for data, then use "parallel construction" so they don't even have to argue about the phone's admissibility. If they do have to argue they can use the 48-hour timeout as an excuse for the extreme search methods: evidence was about to be destroyed.
  - take your fingerprint at "booking" and then use a $10,000 iphone unlocking kit bought with your tax money to unlock the phone.
  (2) has the time (and, if seeking divorce settlements, extreme motivation) to make fake fingerprints, and the ability to read the Internet to learn how to do it, ability to try and fail over and over, and is likely to be an intelligent person instead of a retarded thief.
  (3) is worse than nothing because it provides an incentive to chop off your finger. Fingerprints are also very poorly-suited defense to this attack because the defensive goal is to brick the phone to demotivate the violent mugging, not to protect data. The thief will take the phone to a fence who will have CDMA Workshop or some other baseband-hacking tool to factory-reset the phone in spite of the lock, so that's what the defense needs to frustrate, and there are obviously other techniques to do this which California has just made mandatory. The fingerprint scanner might help banks because any credit cards stored in the phone are less likely to get used by the thief on the way to the fence, but (a) not your problem because you're not liable, (b) weren't you also carrying plastic copies of your cards? since paying-by-phone is a douchebag party trick and not actually easier in any way than taping a credit card to a phone and waving this over the scanner.
  (4) Granted, it should do a good job of #4, but not as good a job as taking your phone with you when you go to the bathroom which you can easily do.
  tl;dr It's a Silicon Valley party trick, and a really bad one since all your friends have the exact same phone. There is almost no security aspect to this. It makes things worse by giving a false sense of security and motivating chopping off fingers. It distracts from meaningful security. And it fetishizes a tool states use to control their citizens.
  However this armchair non-specialist security "analysis" on fanboi blogs and comment sections is solution-looking-for-problem reasoning. Instead of building an attack model and designing the best defense among several available, you are handed a tool by benificent omniscent Apple, so you try to see what quiet brilliance is behind their latest gift by inventing scenarios where it could help you. You are treating them like a God and applying religious reasoning to their work. Stop.
Re:Laser? Try Gummy Bears by praxis · 2014-09-23 11:34 · Score: 1

Well, it doesn't appear to have improved...
Why does it not appear that way? It's much more difficult to fool a fingerprint scanner today than it was ten years ago. Just because they're not perfect does not mean they're not better.
Biometrics are Not the Answer by Anonymous Coward · 2014-09-23 12:33 · Score: 1

Would you use passwords if they appeared on everything you touched and could never be changed?
1. Re:Biometrics are Not the Answer by jklovanc · 2014-09-23 12:58 · Score: 1
  
  and could never be changed
  You actually have ten different one that can be rotated. Replicating a good enough fingerprint for TouchID is not easy. The cracker would not know if the fingerprint reproduction was faulty or the wrong finger was used. Since TouchID is disabled after a few tries it is not a bad choice for a device with the security need of a cell phone. It is a balance between convenience and security. As the submitter said, only a few people can do it and the chance of failure is high. Not everything needs top level security.
  If biometrics is not the answer for this level of security, what is?
2. Re:Biometrics are Not the Answer by Anonymous Coward · 2014-09-23 18:56 · Score: 0
  
  Biometrics is never the answer for security unless you have a highly trained guard to go along with it to check if you are not trying to full the biometric system.
  For finger prints this requires the guard to physically check your finger for tampering, and to place your finger in the scanner to make sure you are not tampering between the checking and the scanning.
Well... by Anonymous Coward · 2014-09-23 12:45 · Score: 0

..."We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats.""
And the sound of a 12 guage shotgun racking a shell takes care of the non-traditional threats.
Two out of three.... by mark-t · 2014-09-23 13:02 · Score: 1

"We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
There is a third reason that such locks are practical, and it is something that cannot be satisfied by any kind of biometric authentication.
Failure of the security system provided by locks, however infrequent, can still be mitigated enough to carry on with no less effectiveness to meet security threats in the future as you had before the failure. IE, you can go ahread and change a lock

--
File under 'M' for 'Manic ranting'
Re:Laser? Try Gummy Bears by diamondmagic · 2014-09-23 13:20 · Score: 1

I can't find any actual instances of it happening, but this appears to mention the rumor you're talking about: http://whatis.techtarget.com/d...

--
Wonder what the public key field is for?
8 or 40, wtf? by s.petry · 2014-09-23 13:49 · Score: 1

I use a longer passcode on my phone than 4 characters, but not even close to 40. If you need to use bad/broken logic to justify the use of something, it probably does not deserve justification.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:8 or 40, wtf? by vux984 · 2014-09-23 18:56 · Score: 1
  
  I use a longer passcode on my phone than 4 characters, but not even close to 40.
  On a phone keypad I'd rather enter a phrase then a complicated shorter password due to the clutzyness of smartphone keyboards and the tedious of switching cases, and accessing punctuation symbols.
  If you need to use bad/broken logic to justify the use of something, it probably does not deserve justification.
  10-12 characters, including numbers and punctuation marks would still be beyond annoying to have to enter every time I access my phone.
2. Re:8 or 40, wtf? by s.petry · 2014-09-24 02:51 · Score: 1
  
  My point was, and is, that there are options between 4 and 40 characters so you are not stuck with one or the other as you implied. In fairness, you may not have intentionally made this implication, but nevertheless it was made.
  I agree a 4 number PIN is a horrible idea if you are worried at all about security. A 9 character PIN is going to be much harder to break into and still easy enough to manage. My screen is auto-locking at 5 minutes and I have the option of pressing a very fast access button to immediately lock the phone at a touch.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Re:Laser? Try Gummy Bears by s.petry · 2014-09-23 13:58 · Score: 1

Jello works just as well. Working at the Department of Defense we annually had to reject the latest greatest "biometric wonder" finger print ID systems because we could easily spoof people's identity lifting prints with Jello, then log in with the same Jello. Obviously a truly malicious person could eat the tasty evidence and ensure nobody knew what happened..

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Different problem by nbahi15 · 2014-09-23 16:34 · Score: 1

So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?
You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.
The problem being solved here isn't one of ubiquitous use of complex passcodes. The problem is people not using passcodes at all because they are inconvenient. TouchID is a middle-ground between a complex passcode and no passcode.
Physical access... by RyuuzakiTetsuya · 2014-09-23 16:43 · Score: 1

If you have the device in hand, you've pretty much won.
I'm worried more about the "secure enclave."
It has been a year and it's still not broken. I hope it stays that way.

--
Non impediti ratione cogitationus.
Eh... so? by binary+paladin · 2014-09-23 16:58 · Score: 1

Unless I'm missing something, three failed attempts and you have to enter the passcode. Reboot and you have to enter the passcode. 48 hours of not being used and you have to enter the passcode.
I just got a 5S and the TouchID is okay, but even when using the correct finger it doesn't always work and I have to enter my passcode (which is quite long). It wouldn't be hard to guess which finger I used but even then... everything would have to go perfectly to get into the phone using that method.
laugh by koan · 2014-09-24 02:02 · Score: 1

What moron is storing anything to worry about their?
Oh yeah Apples "wallet", good luck with that.

--
"If any question why we died, Tell them because our fathers lied."
Worse than nothing by Anonymous Coward · 2014-09-24 04:01 · Score: 0

"It is plain stupid to use something that you cant change and that you leave everywhere every day as a security token. [...] Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." -- http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
Apple is fetishizing the everyday use of fingerprints, which has dystopian consequences that outweigh any crappy security (or false sense thereof) that it might provide.