Saturday, September 14, 2013

The iPhone Fingerprint Sensor is a Very Bad, Very Insecure Idea

Daily Beast reports:

. While fingerprint sensors might seem like a nifty way to shorten the steps to your next brilliant tweet and keep your buddy from punking your Facebook with a fake status update, they’re more likely to create a false sense of security, thanks to statements like this, from Apple Senior Vice President Dan Riccio, in the introductory video for the new iPhone 5s:

“Your fingerprint is one of the best passwords in the world. It’s always with you, and no two are exactly alike.”

Riccio is half-right. Your fingerprint is always with you, and no two are exactly alike. But that doesn’t make it one of the best passwords in the world. That actually makes it a potentially lousy password, says Gene Meltser, technical director for Chicago-based security firm Neohapsis Labs, because there’s nothing you can do to change it, to keep the cyberthugs guessing.

“All we have are 10 fingers,” Meltser told The Daily Beast. “That means we can only authenticate successfully 10 times. Once that data is compromised, we are for the rest of our lives unable to authenticate.”

We leave fingerprints everywhere, every day, all day long. Any goober can stick a piece of tape on a greasy thumb depression left on a soda can, peel it off, scan it into a computer, and figure out a way to trick a fingerprint sensor into letting him inside.

Passwords, on the other hand, are stored (or should be stored) only inside the brain. You don’t walk around all day slapping your PIN code on toilet seats and door handles. And even if you did do that, or you figured out someone had peeped over your shoulder and swiped your password, you could change it, and you’re back in Secureville.

 If someone grabs your fingerprint, and that’s what you use to get into your phone, they’ll always have it. And unless you find some sweet 007 technique for burning your fingertips off and creating a whole new set, you will not be able to do anything to set a “new” password.

Read more here.


  1. Fingerprint and Touch ID are getting a lot of traction in the news these days as Apple is set to roll out the new iphone 5S with this biometric add-on on September 20th. Touch ID will all but eliminate the need for passwords and pins when using your iphone 5s. But, what happens if you don't have the new phone? What options do users who have an Android, Blackberry or Microsoft device or a iphone 4s, 5 or even new 5c have available to them? EyeVerify!

    EyeVerify is the exclusive provider of Eyeprint Verification, a highly accurate biometric for mobile devices. Eyeprint Verification delivers a password-free mobile experience and secure authentication at a glance. This patented solution uses existing cameras on smartphones to image and pattern match the blood vessels in the whites of the eyes. Best of all, you can get this technology right now for your existing device as long as your device has a 1 mega pixel camera.

    Apple’s TouchID and the Eyeprint accomplish the same ultimate end goal. It is an accurate, secure & simple way to answer the question "Who is holding the phone?" Eyeprint Verification just happens to be more accessible to more of the population trying to solve the password problem.

    To learn more about the differences in these technologies:
    Check us out online
    Read our blog
    Follow us on twitter @eyeverify
    Watch us on YouTube
    Contact us to schedule an interview at

  2. > If someone grabs your fingerprint, and that’s what you use to get into your phone

    No, the Apple fingerprint sensor scans the capillary blood vessels under your skin. Apple engineers are not stupid. Android people might have implemented the traditional fingerprint though.

  3. Lol capillary blood vessels, I guess Apple engineers are stupid after all or how do you explain, that touch id has already been hacked?