iPhone 5S fingerprint identity sensor is convenient, but not secure

ILLINOIS, USA: Apple recently launched the iPhone 5S featuring a fingerprint identity sensor. With the limited number of details that were revealed, VASCO came up with some remarks.

VASCO believes Apple came up with a convenient solution for unlocking the device:

* The fingerprint scanner is high-quality and easy-to-use. In comparison with earlier versions of the fingerprint scanner that worked slowly and that required that you placed your finger at exactly the right spot, this version Apple integrated works intuitively and is thus easier to use.

* It does not gather the information from the dead skin top layer of the finger, but from the sub-epidermal layers right underneath it. So, there is no fear for cut-off fingers.

* The biometric templates are encrypted and stored in the‘secure enclave' of the A7 chip environment of the iPhone 5S; so the data is not sent to the Apple servers.

VASCO wonders what the main objective of this feature is?

Apple states this is a convenient and secure way to access the phone and other services (such as iTunes and iBooks store). VASCO agrees that this scanner is indeed a convenient solution to get access to the phone, asit gives the user the possibility to get rid of PINs, thatare often perceived asbeing annoying.

However, is it also a secure solution?

The new feature is announced as ‘fingerprint security'. But as far as VASCO can see from the information given, it believes the fingerprint scanner is just not secure enough.

* Security is as strong as the weakest alternative offered. For the Apple iPhone 5S, the back-up system when the phone is rebooted or hasn't been unlocked for 48 hours is a self-created password. It is a so called static password.

Even Apple acknowledged in the past that static passwords are a poor defense.

Fraudsters and hackers can crack codes like we crack nuts. This is as much the case for mobile as for other devices. But mobile devices are more easily lost or stolen. This makes an iPhone 5S an easier target for fraudsters, than for example a desktop computer.

* How secure can an ‘enclave' on a chip be? White and black hackers will most certainly tell us how secure it is after the release of the iPhone 5S. In the meantime, Apple comments that only fingerprint data is being stored within the iPhone's processor. This means that even if someone cracks the chip, they wouldn't be able to reverse engineer a fingerprint. To be tested...

* Another potential security issue might be the ability to make purchases from iTunes, iBook, App store, etc. The iPhone will then be sending a sort of authentication token to the Apple servers. How secure is that? Does this give Man-in-the-Middle attacks a chance to capture the token and abuse it for own malicious purposes? Potentially this leads to new ways for fraudsters to hack user accounts.

Some other considerations from VASCO's point of view:

* Biometrics in general doesnot handle failure well. If a biometric signature (such as a thumbprint or a face scan) is stolen, you cannot restore it or set up another one. This biometric signature is indeed unique and once it is stolen, this remains stolen for the rest of one's life.

* Now, the verification is done inside the A7 chip in the phone itself. It is not available to any other software nor stored at Apple's servers or backed up in iCloud. For now, at least. There is no assurance that this will not be done in the future. And would you consign your fingerprint to a commercial company? Especially when we think about what we hear about cyberespionage andandsecret services cooperating with commercial entities?

VASCO thinks that securing your mobile device is of utmost importance. The right balance between convenience and security needs to be found. According to VASCO, convenience is winning the battle in the iPhone 5S. But only after release of the device and multiple tests, we can be sure of that.

The author is with VASCO, USA.