Touch ID: Apple’s iPhone fingerprint sensor FAQ

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Touch IDWhat’s happened?
Apple has announced the iPhone 5S, which incorporates a biometric fingerprint sensor. The company is calling it Touch ID.

In a nutshell, it takes a high resolution (550 PPI) picture of the sub-epidermal layers of your skin – and checks that it matches the fingerprint it has on file for you.

If you’re lucky enough to get your fingers on an iPhone 5S, you will notice that the new Home button (ironically, the moving part of an iPhone that most often breaks in my experience) has a stainless steel ring around it, denoting where the Touch ID sensor is located.

What does it do?
You can use the sensor to unlock your iPhone, and to authorise purchases from the iTunes, the App Store and Apple BookStore. Rather than enter your four digit PIN code, or tap in your Apple ID password, you can press the fingerprint sensor instead.

Sign up to our free newsletter.
Security news, advice, and tips.

So I don’t have to remember any passwords anymore?
Sorry, you still need to remember passwords. They’ve not all disappeared just yet.

How come? What doesn’t it do?
It cannot currently be used to unlock anything else on your iPhone. In other words, it can’t access iCloud, or your Keychain, or be used to log into third-party apps like Facebook. AllThingsD reports that Apple has confirmed iOS developers will not be given access to fingerprints or the sensor technology, although it’s unclear if that will always be the case.

I think it’s safe to assume that, at the very least, Apple’s own use of the technology will broaden.

It sounds a bit spooky. My iPhone can already track my location, and my private messages and documents are all being backed up to the cloud… Do I really want a big corporation storing my fingerprints too?
It’s a valid concern, and one of which Apple is keenly aware. The company says that fingerprint data is encrypted and not sent to its (or anyone else’s – sorry, NSA) servers.

Instead, the fingerprint data will be stored in encrypted form on the device (in what Apple calls a “secure enclave” of its new A7 chip), where it is not available to other processes, and will not be backed up to iCloud, Apple confirmed.

What if I want to share my phone with my partner or child?
You can teach the fingerprint sensor up to five different fingerprints. So if there is someone you trust to access your iPhone, you can include them in the system.

iPhone 5S Touch IDIs a Touch ID fingerprint sensor on an iPhone a good thing?
Well, that’s the $64,000 question.

The good news is that your fingerprint is always with you, and no two fingerprints are exactly alike. In other words, you don’t have to worry about forgetting your password – or choosing a weak one – if you choose to use Apple’s fingerprint sensor.

Apple says that less than half of all iPhone users have enabled four-digit PIN codes to prevent unauthorised access to their phones. Most people leave their iPhone unlocked, all the time – which is asking for trouble.

Even those people who do have some form of protection to lock their iPhone have – in the main – chosen to use a simple four digit PIN code even though an option of using a longer, more secure password is available. (Watch this video if you want to learn a great way to create a stronger, longer iPhone password and *still* remember it).

And that’s before we even raise the issue of phone owners choosing to use the same password in multiple places, increasing the risk of a device being compromised.

If you’re one of those people who has no lock on your iPhone, or using a four digit PIN code (that could be cracked by a determined data thief using an attached computer) having a fingerprint check to unlock your iPhone may be a good solution. It certainly will put a stop to shoulder-surfers who spy on your password as you enter it, although there are some grisly scenarios of how criminals might try to obtain a working fingerprint to unlock your phone…

It sounds like Touch ID is easy to use, and it certainly should help prevent jealous partners and business rivals from snooping on private emails and messages.

It sounds neat. Can I get it for my current iPhone?
No, you need to have a new iPhone 5S. They’re not even available for pre-order (so be suspicious of any scams offering you a free one!). In the United States, the iPhone 5S will be available to purchase from September 20th.

Is Touch ID going to come to the iPad too?
You’d be a brave man to bet against it.

How are hackers going to respond to Touch ID?
It’s inconceivable that malicious hackers and data thieves won’t try to subvert Apple’s Touch ID fingerprint scanning technology. How capable they will be at doing that, remains to be seen. But expect hackers to start looking at the system as soon as they can get their hands on one of the new iPhone 5S smartphones.

Further reading: How to beat fingerprint scanners [VIDEO]


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Touch ID: Apple’s iPhone fingerprint sensor FAQ”

  1. Steve Wilson

    You say that no two fingerprints are exactly alike, and that's true hen you have all the time in the world to make microscopic examinations. In reality, any two fingerprints are quite a bit alike, which is why forensic fingerprinting is an art and is fallible. Sorry to labor the bleeding obvious, but it seems that people are somehow so mesmerised by "biometrics" that they forget this is not magic: it's actually computers and grimy sensors taking measurements of body parts and making quick decisions about whether the images contain a minimum number pre-enrolled data points. A great deal can go wrong.

    What we really need to know about Apple's deployment includes the following:

    – What are the False Accept and False Reject Rates (FAR, FRR)… in the field and not just in the lab? The FAR determines security; the FRR convenience. All biometrics have to balance the two. Consumer biometrics is a tough compromise. They have to use fuzzy logic and allow for a wide range of error, in order to 'see through' dirty fingers, wear and tear on the button, different moisture levels, different angles and pressure of presentation, and to do so quickly (the user won't be in contact with the Home button for more than a fraction of a second).

    – What is the Failure-to-Enrol rate? A few percent of the population do not have readable fingerprints, thanks to age, skin conditions, or manual labor.

    – What anti-spoofing measures are integrated with the sensor, to ward off gelatine fakes or simply sticky tape used by a thief to lift off the dabs of the phone's user?

    People have to know that biometrics do not work like they seem to on the science fiction movies.

    1. Spryte · in reply to Steve Wilson

      Many valid points above without even going into the privacy/safety issues of where your biometrics are stored.

  2. Gaurav Bidasaria

    Apple has announced that developers will not get access to the touch id sensor atleast for now. Read more below.

    This is sad as access to touch id sensor to lead to several security apps upgradation like for banking, files, folders, fpt, office clients and more.

    http://www.takeaclick.com/2013/09/11/developers-will-not-get-access-to-touch-id-sensor-for-now/1214/

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.