How secure is the iPhone 5S fingerprint sensor?

One of our talking points from IFA 2013 in Berlin last week was the need for smartphone manufacturers to take security more seriously, and introduce hardware features to better protect users from the growing rates of both mobile theft and malware attacks.

For all their impressive capabilities, IFA’s headline devices, the Sony Xperia Z1 and Samsung Galaxy Note 3, were fairly true to form by failing to include any new innovations that directly tackled security issues. After all, it’s the design and usability that sells, not the security measures, however important these are in the current mobile threat landscape.

But last night Apple seemed to hit a security sweet spot. The new fingerprint sensor built into the home button of the flagship iPhone 5S provides a valuable layer of authentication that helps protect the phone’s sensitive data if it end up in the wrong hands, while the convenience and ‘futuristic’ novelty of the feature brings with it a great deal of consumer appeal. Security and usability in rare harmony.

The Touch ID sensor, 170 microns thin, sensing 500 ppi and scanning your sub-epidermal skin layers, harnesses the technology secured in Apple’s hefty $356 million (£225 million) acquisition of mobile security firm AuthenTec last year. Yet Andy Kemshall, co-founder of security firm SecurEnvoy, is among those in the industry who are sceptical whether the tech has been sufficiently advanced to be effective on devices like the iPhone 5S, claiming the feature “will undoubtedly leave users exposed to security risks.”

“Biometric authentication is not yet near the level it needs to be for the majority of consumer facing organisations to implement it in their products,” Kemshall argues. “There are industries in which it does make sense to use the technology though, such as those in which many people are using a single or small number of devices. For example, airports often use a passport and eye ball scan to authenticate a traveller. But for an organisation such as Apple, which is creating multiple products for multiple users, it could not realistically enforce such a method.”

According to Kemshall, “fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods. The technology simply isn’t sophisticated enough. Take the face recognition method for example – as the technology stands, a device will unlock just by holding up a photo of the owner.”

Methods to circumvent fingerprint access, meanwhile, could be decidedly more gruesome. “It sounds extreme but if a terrorist wants to use someone's finger print to access important information about a high profile company, they might just take the whole finger!” Kemshall adds.

Other industry figures have responded more positively to Apple’s move, with Dirk Sigurdson, director of security company Rapid7’s mobile division, highlighting how the fingerprint sensor alleviates the pressure on users to remember multiple strong passwords.

“A strong password that is only stored in someone's brain is arguably the best single factor of authentication. But, it's inherently difficult for people to create and remember strong passwords. Because weak passwords are often used, assuming the iPhone fingerprint reader and matching algorithm do a good job of protecting against fake fingers, biometric authentication should overall improve the security of iOS devices,” Sigurdson said.

Jonathan French, a security analyst for AppRiver is similarly optimistic following last night’s announcement, arguing that the fingerprint feature will help counter mobile users’ intrinsic complacency. “The major benefit of having this technology built in to the phones will hopefully be that more users will now secure their devices. Most people don’t seem to think about the information that is contained in their phones or the severity of having that information stolen,” said French in a blog post this morning.

“I see adding this feature as a good move on the security side of things and I hope more manufacturers consider adding security measures due to how popular mobile devices are. Fingerprint readers for the most part, are a secure method of authentication,” he continued.

“It’s not perfect (I recall a famous myth busting show demonstrating this) but this new technology will hopefully be an easy authentication step for users to take in securing their phones. Making security easier for users to live with will make them more likely to use the proper security measures in the long run.”

As French emphasises, biometrics’ tendency not to impact heavily on the user’s activity is absolutely key. Typical log-in enhancements incorporate two-factor authentication, when someone is given an additional code via another device to input into a system to gain access; the extra step making life far more difficult for would-be intruders. But the need for extra hardware and the time-consuming sequence has seen the technology remain largely within corporate environments rather than transferring to everyday consumers.

Yet the iPhone 5S’s sensor is very much the consumer-friendly feature. To such an extent in fact, that according to DaveBirch, co-founder of IT consultancy group Consult Hyperion, “Apple TouchID isn't really about security, it's about convenience.”

Like Kemshall, Birch acknowledges the raft of ways fingerprint protection can be circumvented, such as the remains of user prints being stolen from displays, and the production of 3D models imitating specific fingerprints, but says the time and effort saved by simply touching a button for access makes the feature a wholly positive thing for the user. The security element may represent a small improvement on mobile protection rather than a definitive solution, but the convenience factor is boosted substantially. As Birch rightly points out, “Convenience is something at which Apple excel.”

So, like Sony and Samsung, Apple’s thought-process was not significantly shaped by security when it designed the iPhone 5S. It was still driven my usability, just like every device produced in Cupertino and in the labs of its market rivals. But shrewdly, the US giant has given something for the security bods to scrutinise and applaud, further enhancing the iPhone’s enterprise credentials, while actually enhancing its consumer appeal, not downgrading it. Given the striking lack of improvements elsewhere on the 5S, the fingerprint sensor may well prove an important weapon in Apple’s arsenal as it prepares a marketing onslaught for its new flagship.