Latest in Facepalm

Image credit:

iPhone 5s fingerprint sensor gets completely misunderstood


This article from the Toronto Star, giving 10 reasons the iPhone 5s Touch ID fingerprint reader is a "bad idea," has been making the rounds over the past couple of days. It's been almost universally derided -- and rightly so, because it reads like it was written by someone who's never even held an iPhone before.

[Want to help your friends and family grok the iOS 7 story? Send them a link to our Don't Panic Guide to iOS 7. --Ed.]

While the level of out-there wacky on this story may be atypically high, the core issue is all too common; this is the sort of brain-dead article that always comes out any time an Apple product includes technology that's new, or not yet popular (as noted, fingerprint ID is neither new in general nor new on a smartphone).

Someone in the media who knows nothing about tech consults a so-called "expert" who's never been in the same room with the device under discussion, much less held it in his hand, and we're "treated" to a conveniently-formatted Top Ten (reasons x) list of why (Apple technology y) will lead to the end of life as we know it.

All of this has happened before, and all of it will happen again. That's what makes my job so much fun.

Here's the Toronto Star's list, methodically ripped to shreds.

1. There is a video out there showing a cat being able to unlock the phone. How long before hackers crack the security function?

If you deliberately go out of your way to set up Touch ID to allow your cat's paw to unlock your phone, then yes, this will work. You can also set up Touch ID to work with various human body parts and appendages which are also not fingers. Use your imagination... just don't use mine.

The point is, you have to deliberately set up Touch ID to recognize your cat's paw print or your big toe, or whatever you're into. If you set up Touch ID to look for your thumb print but then put your cat's foot on the Home button, guess what happens? Your phone doesn't unlock.

[To answer the second part of the question, "how long before hackers figure out a way to simulate a fingerprint," the answer may be: not all that long. --Ed.]

2. If Apple gets it wrong, it will set back the biometrics industry years.

This article's "expert" consultant doesn't define what "getting it wrong" actually means. My question is, why so pessimistic? What if it turns out that Apple is the first entity to get biometrics right, and it moves the industry forward by several years?

3. This is a solution to a problem we don't have.

A collection of similar arguments (no indication at press time whether this article's "expert" ever uttered any of these gems, though I wouldn't be the least bit surprised):

  • My CD player is good enough! Why should I pay $500 for an MP3 player?
  • My Blackberry is good enough! Why should I pay $500 for a phone without a keyboard?
  • My netbook is good enough! Why should I pay $500 for a big iPod touch?

4. Apple is using fear to sell this product.

Oh it is, is it? Here's Apple's marketing copy on Touch ID, available on its website:

You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID - a new fingerprint identity sensor.

Put your finger on the Home button, and just like that your iPhone unlocks. It's a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don't have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation - portrait, landscape, or anything in between - your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.


5. Moisture on your fingers, or something like pizza crust, can slow or confuse the device.

Guess what? Wet, pizza-encrusted fingers don't work really well on a touchscreen surface, either. Maybe you should wipe off your grungy paws before grabbing for the $500 portable computer in your pocket. Just because the iPhone's screen is oleophobic doesn't give you an excuse to coat your hands in Crisco every time you want to play Angry Birds.

6. Somewhere in your device will be your file so that it can take that information and reuse it.

First of all, there's a dedicated "enclave" in the iPhone 5s processor that's used solely for the purpose of storing encrypted data related to Touch ID. Its only connection to the rest of the iPhone's hardware is a function to say, "Touch ID check OK/Fail." The notion that someone could grab this data via a Bluetooth connection is ludicrous Hollywood "hacking" BS.

Second, the iPhone doesn't actually store fingerprint data in the first place. The iPhone 5s maps your fingerprint and converts that into a string of data (a one-way hash), then holds onto that chunk of data. The next time you put your paws on the phone, the same hashing process produces another data chunk; the two chunks -- not the two fingerprint images -- are matched up to allow access. In fact, assuming the hashing process works the same way as it does for existing iPhone passcodes, the fingerprint data is encoded in a way that's specific to that individual phone (salted). Copying it anywhere else would be useless. [Have we been hearing about hacker gangs remotely stealing iPhone passcodes via magical processes to use them elsewhere? No, we have not -- and if we had, it would almost certainly be via social engineering or visual spying as the phone is unlocked, both of which are impossible with Touch ID. –Ed.]

Anyone who somehow managed to access the iPhone's Touch ID circuitry and extract the hashed data would just find a string of alphanumeric gibberish, not a 3D-printable set of whorls and ridges ready to be turned into a latex Mission:Impossible-style fake finger. My TUAW colleague Dr. Richard Gaywood, who knows a thing or two about this stuff, says turning that data back into a readable fingerprint "would be like taking a cake, eating half of it, smashing the rest up with a fork, then giving it to someone and asking them, 'How much did the whole cake weigh, and what message was written on the icing that was on top of it?' "

Besides, why go to all that trouble? If someone has your iPhone, and they want your fingerprints, they can just use a little-known technique called "dusting for fingerprints" and physically pull your prints off the outside of the device. I understand various law enforcement agencies have been utilizing this technique for around a century and a half now.

The common concern I've heard repeated often (sign of the times) is, "What if the NSA gets ahold of my phone? They'll get my fingerprints! And then they'll... they'll use them. They'll use my fingerprints to do their shady NSA stuff! YEEARGH!"

I'm not concerned with the NSA getting fingerprints off my phone. That's because my fingerprints are on file with the FBI and have been for nearly 20 years. Thanks, US military! And you're welcome, NSA! I figured I'd make life easy for you (except the part where I moved to New Zealand, I suppose).

7. Anytime you get complex software, it can lead to problems.

I honestly don't know what to say in response to this. I'm just basking in the glow of... whatever this is. I feel like this should be printed out in Helvetica Neue Light, white text on a black background, on the biggest poster anyone can find, and it should be hung in the atrium of Microsoft's world headquarters building.

8. This is targeted only for one market: People not concerned about security won't care.

So what? They don't have to use it then. News flash: not everyone cares about smartphones, either. The people who don't care about them are still rocking out with "feature phones" that only make phone calls and send texts. That doesn't affect the rest of us, who are playing video games and reading books and shooting high-definition video on our cellphones.

["People not concerned about security" should be a pretty small group. Many, if not most, iPhone users don't put a passcode on their phones at all. This is, frankly, dumb and dangerous -- your pocket computer holds a lot of personal information about you and your family, and it should be protected just like your Mac or PC. Moreover, you can't use Apple's new Activation Lock security feature without a passcode. Touch ID means that those folks who weren't using a passcode due to the lag and inconvenience now will have fewer excuses. –Ed.]

9. Expected technical difficulties with a new product.

"I don't think it's going to be welcomed because it's not going to be technically as effective as they thought. The technology is not yet good enough."

My Twitter timeline -- and every review of the device I've read so far -- strongly disagrees with this sentiment. Every bit of feedback I've seen suggests that Touch ID, like so many other things associated with Apple, "just works." The above statement reads like it was written by someone who had yet to handle the device and is simply scoffing at the functionality in the interest of being deliberately contrarian.

10. People will use it initially, but the novelty will wear off.

"People are going to start to use it in the beginning and then stop using it because of the time delay."

Again, reports from people who have actually used Touch ID suggest there is no time delay associated with using it. It's certainly faster than entering a passcode multiple times per day, which is why the feature was introduced in the first place.

No one is saying you have to use Touch ID. It's optional. Siri has been out for two years, but even though I use it all the time, I don't know anyone else in the real world who uses it on a day-to-day basis. But it's there if you want to use it -- just like Touch ID. That's the whole point... one of many the linked article's writer and interviewed "expert" seems to have missed.

From around the web

ear iconeye icontext filevr