TouchID
Latest
iPhone 5s fingerprint sensor gets completely misunderstood
This article from the Toronto Star, giving 10 reasons the iPhone 5s Touch ID fingerprint reader is a "bad idea," has been making the rounds over the past couple of days. It's been almost universally derided -- and rightly so, because it reads like it was written by someone who's never even held an iPhone before. [Want to help your friends and family grok the iOS 7 story? Send them a link to our Don't Panic Guide to iOS 7. --Ed.] While the level of out-there wacky on this story may be atypically high, the core issue is all too common; this is the sort of brain-dead article that always comes out any time an Apple product includes technology that's new, or not yet popular (as noted, fingerprint ID is neither new in general nor new on a smartphone). Someone in the media who knows nothing about tech consults a so-called "expert" who's never been in the same room with the device under discussion, much less held it in his hand, and we're "treated" to a conveniently-formatted Top Ten (reasons x) list of why (Apple technology y) will lead to the end of life as we know it. All of this has happened before, and all of it will happen again. That's what makes my job so much fun. Here's the Toronto Star's list, methodically ripped to shreds. 1. There is a video out there showing a cat being able to unlock the phone. How long before hackers crack the security function? If you deliberately go out of your way to set up Touch ID to allow your cat's paw to unlock your phone, then yes, this will work. You can also set up Touch ID to work with various human body parts and appendages which are also not fingers. Use your imagination... just don't use mine. The point is, you have to deliberately set up Touch ID to recognize your cat's paw print or your big toe, or whatever you're into. If you set up Touch ID to look for your thumb print but then put your cat's foot on the Home button, guess what happens? Your phone doesn't unlock. [To answer the second part of the question, "how long before hackers figure out a way to simulate a fingerprint," the answer may be: not all that long. --Ed.] 2. If Apple gets it wrong, it will set back the biometrics industry years. This article's "expert" consultant doesn't define what "getting it wrong" actually means. My question is, why so pessimistic? What if it turns out that Apple is the first entity to get biometrics right, and it moves the industry forward by several years? 3. This is a solution to a problem we don't have. A collection of similar arguments (no indication at press time whether this article's "expert" ever uttered any of these gems, though I wouldn't be the least bit surprised): My CD player is good enough! Why should I pay $500 for an MP3 player? My Blackberry is good enough! Why should I pay $500 for a phone without a keyboard? My netbook is good enough! Why should I pay $500 for a big iPod touch? 4. Apple is using fear to sell this product. Oh it is, is it? Here's Apple's marketing copy on Touch ID, available on its website: You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID - a new fingerprint identity sensor. Put your finger on the Home button, and just like that your iPhone unlocks. It's a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don't have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation - portrait, landscape, or anything in between - your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too. BOOGA BOOGA! 5. Moisture on your fingers, or something like pizza crust, can slow or confuse the device. Guess what? Wet, pizza-encrusted fingers don't work really well on a touchscreen surface, either. Maybe you should wipe off your grungy paws before grabbing for the $500 portable computer in your pocket. Just because the iPhone's screen is oleophobic doesn't give you an excuse to coat your hands in Crisco every time you want to play Angry Birds. 6. Somewhere in your device will be your file so that it can take that information and reuse it. First of all, there's a dedicated "enclave" in the iPhone 5s processor that's used solely for the purpose of storing encrypted data related to Touch ID. Its only connection to the rest of the iPhone's hardware is a function to say, "Touch ID check OK/Fail." The notion that someone could grab this data via a Bluetooth connection is ludicrous Hollywood "hacking" BS. Second, the iPhone doesn't actually store fingerprint data in the first place. The iPhone 5s maps your fingerprint and converts that into a string of data (a one-way hash), then holds onto that chunk of data. The next time you put your paws on the phone, the same hashing process produces another data chunk; the two chunks -- not the two fingerprint images -- are matched up to allow access. In fact, assuming the hashing process works the same way as it does for existing iPhone passcodes, the fingerprint data is encoded in a way that's specific to that individual phone (salted). Copying it anywhere else would be useless. [Have we been hearing about hacker gangs remotely stealing iPhone passcodes via magical processes to use them elsewhere? No, we have not -- and if we had, it would almost certainly be via social engineering or visual spying as the phone is unlocked, both of which are impossible with Touch ID. –Ed.] Anyone who somehow managed to access the iPhone's Touch ID circuitry and extract the hashed data would just find a string of alphanumeric gibberish, not a 3D-printable set of whorls and ridges ready to be turned into a latex Mission:Impossible-style fake finger. My TUAW colleague Dr. Richard Gaywood, who knows a thing or two about this stuff, says turning that data back into a readable fingerprint "would be like taking a cake, eating half of it, smashing the rest up with a fork, then giving it to someone and asking them, 'How much did the whole cake weigh, and what message was written on the icing that was on top of it?' " Besides, why go to all that trouble? If someone has your iPhone, and they want your fingerprints, they can just use a little-known technique called "dusting for fingerprints" and physically pull your prints off the outside of the device. I understand various law enforcement agencies have been utilizing this technique for around a century and a half now. The common concern I've heard repeated often (sign of the times) is, "What if the NSA gets ahold of my phone? They'll get my fingerprints! And then they'll... they'll use them. They'll use my fingerprints to do their shady NSA stuff! YEEARGH!" I'm not concerned with the NSA getting fingerprints off my phone. That's because my fingerprints are on file with the FBI and have been for nearly 20 years. Thanks, US military! And you're welcome, NSA! I figured I'd make life easy for you (except the part where I moved to New Zealand, I suppose). 7. Anytime you get complex software, it can lead to problems. I honestly don't know what to say in response to this. I'm just basking in the glow of... whatever this is. I feel like this should be printed out in Helvetica Neue Light, white text on a black background, on the biggest poster anyone can find, and it should be hung in the atrium of Microsoft's world headquarters building. 8. This is targeted only for one market: People not concerned about security won't care. So what? They don't have to use it then. News flash: not everyone cares about smartphones, either. The people who don't care about them are still rocking out with "feature phones" that only make phone calls and send texts. That doesn't affect the rest of us, who are playing video games and reading books and shooting high-definition video on our cellphones. ["People not concerned about security" should be a pretty small group. Many, if not most, iPhone users don't put a passcode on their phones at all. This is, frankly, dumb and dangerous -- your pocket computer holds a lot of personal information about you and your family, and it should be protected just like your Mac or PC. Moreover, you can't use Apple's new Activation Lock security feature without a passcode. Touch ID means that those folks who weren't using a passcode due to the lag and inconvenience now will have fewer excuses. –Ed.] 9. Expected technical difficulties with a new product. "I don't think it's going to be welcomed because it's not going to be technically as effective as they thought. The technology is not yet good enough." My Twitter timeline -- and every review of the device I've read so far -- strongly disagrees with this sentiment. Every bit of feedback I've seen suggests that Touch ID, like so many other things associated with Apple, "just works." The above statement reads like it was written by someone who had yet to handle the device and is simply scoffing at the functionality in the interest of being deliberately contrarian. 10. People will use it initially, but the novelty will wear off. "People are going to start to use it in the beginning and then stop using it because of the time delay." Again, reports from people who have actually used Touch ID suggest there is no time delay associated with using it. It's certainly faster than entering a passcode multiple times per day, which is why the feature was introduced in the first place. No one is saying you have to use Touch ID. It's optional. Siri has been out for two years, but even though I use it all the time, I don't know anyone else in the real world who uses it on a day-to-day basis. But it's there if you want to use it -- just like Touch ID. That's the whole point... one of many the linked article's writer and interviewed "expert" seems to have missed.
The first person to hack Touch ID is going to make a lot of money
Apple's iPhone 5s, which sports the fancy Touch ID fingerprint sensor, hasn't launched yet, but there's already a reward for being the first person to successfully hack it. The aptly named IsTouchIDHackedYet.com is tallying the names of everyone who has pledge money to the individual (or team, I suppose) who can successfully lift a fingerprint from an object and then use that print to unlock an iPhone 5s using Touch ID. As you can see by the list on the website, there's a whole lot of cash to be gained. Of course, it's up to each individual pledger to follow up with the payment, though with Chicago's IO Capital tossing a cool $10,000 USD into the ring, you can (hopefully) count on good payday even if a few of the smaller donators chicken out.
iPhone 5c, 5s teardown by Australian repair shop
They're not due in the US until tomorrow, but it's already tomorrow somewhere in the world, and that somewhere is Australia. Well, that didn't make any sense, but the point is that some blokes at Sydney, Australia-based iExperts got their hands on some brand-new iPhones and did a teardown before the guys at iFixit were able to do the same. As usual, the devices are locked down with pentalobe screws and require the use of a suction cup to remove the screen. The team noticed that there's a special cable that connects the Touch ID sensor on the iPhone 5s to the charging port assembly -- not sure of the reason, but I'd speculate that it's for grounding the sensor when the iPhone is docked and charging. The batteries on the new devices have higher capacities than the one on the iPhone 5 (5.45 Whr), with the iPhone 5s coming in at 5.92 Whr and the iPhone 5c at 5.73 Whr. Those batteries, according to iExperts, are made by Apple Japan, something they've never seen before on iPhone batteries. The logic boards for the new iPhones are quite compact in comparison to the one in the iPhone 5, and iExperts noted that the 5s and 5c boards share a similar design. The team also marveled at the "incredible functionality for such little circuitry" found in the Touch ID sensor on the 5s (below). If you're one of those people with an iPhone 4, iPod touch, iPod nano (sixth generation) or iPhone 5 that had a power switch failure, you'll be happy to know that the switch assembly has been changed in the new iPhones. The iExperts team will be posting more information on the chips located on the logic board later, so be sure to visit their site to get more information as the day rolls on.
Why a disembodied finger can't be used to unlock the Touch ID sensor on the iPhone 5s
When a lot of folks think of fingerprint-scanning technology, they often assume there's a single way to do it, but nothing could be further from the truth. There are actually more than a half-dozen different technologies -- and combinations thereof -- that various devices employ to read prints, with varying levels of reliability, and yes, some of them would indeed work with a finger you chopped off of a dear friend, but the Touch ID sensor on the iPhone 5s isn't one of them. Based on what Apple has revealed regarding Touch ID and what the company's own patents have suggested, the sensor in the iPhone 5s utilizes two methods to sense and identify your fingerprint: Capacitive -- A capacitive sensor is activated by the slight electrical charge running through your skin. We all have a small amount of electrical current running through our bodies, and capacitive technology utilizes that to sense touch. This is also the same technology used in the iPhone's touchscreen to detect input. Radio frequency -- RF waves do not respond to the dead layer of skin on the outside of your finger -- the part that might be chapped or too dry to be read with much accuracy -- and instead reads only the living tissue underneath. This produces an extremely precise image of your print, and ensures that a severed finger is completely useless. This means that the Touch ID sensor should be remarkably accurate for living creatures, but it also means that only a finger attached to a beating heart will be able to unlock it. So, should someone run up to you, hack off your finger, grab your iPhone and attempt to unlock it, there's virtually no chance it's going to work. Once the tissue is dead -- which, in the case of someone chopping your finger off without your consent, should happen within a matter of minutes -- two things will happen. First, the finger will lose all electrical charge and will fail to even activate the sensor, and secondly, if by some chance the sensor could be artificially activated, the RF reader that is searching for a print will find no living tissue and fail, leaving the device locked. It's important to note that in order to utilize Touch ID you must also set up a passcode, which acts as a back-up method to unlock your device. If someone really wanted to break into your device, chances are they'd be able to obtain your passcode more easily than actually slicing off a finger. However, if by some miracle the person snatching your finger had a compatible human host waiting for your finger to be transplanted onto their body -- and if they managed to complete the procedure before the tissue died -- you might have cause for concern. Oh wait, that's utterly insane, so no, you have nothing to worry about.
Comparing the iPhone 5s fingerprint scanner and older technologies
Since Apple unveiled the new Touch ID fingerprint scanner on the iPhone 5s a few days ago, the internet has been awash in, frankly, horrible reporting about its ability and consequences. One thing repeated over and over again is that fingerprint readers are buggy, prone to breaking after 500 scans and difficult to use because you have to place your finger on it just right. And all that is true... for fingerprint readers back in 2003. That's when I first used a fingerprint reader that was built into a Windows laptop. It was horrible. Half the time, the fingerprint reader wouldn't recognize my finger. Some times it would, but only after I swiped it slowly and carefully -- something that took much longer than quickly typing in a password. But the thing is that since 2003, fingerprint readers have advanced. Heck, they've advanced since 2011. And the one built into the iPhone 5s is the most advanced consumer fingerprint scanner on the market. So if you have any assumptions that the fingerprint reader on the iPhone 5s is like any fingerprint reader you've used in the past, I urge you to check out this awesome piece by Mary Branscombe at CITEworld where she explains in detail why the iPhone's fingerprint sensor is better than the ones on older laptops. The whole article is worth a read, but here's the central gist of it that everyone needs to understand: With the new sensors you don't have to move your finger, just press it against the reader. And like the sensor in the iPhone 5S, the sensors that will be in laptops and keyboards and other phones can detect the ridge and valley pattern of your fingerprint not from the layer of dead skin on the outside of your finger (which a fake finger can easily replicate), but from the living layer of skin under the surface of your finger, using an RF signal. That only works on a live finger; not one that's been severed from your body. This will protect you from thieves trying to chop off your finger when they mug you for your phone (assuming they're tech-literate thieves, of course), as well as from people with fake fingers using the fingerprint they lifted from your phone screen. [via Daring Fireball]
iPhone 5s fingerprint reader has a timed safeguard, dislikes sweaty digits
Beyond the basics, Apple has said little of how the iPhone 5s Touch ID fingerprint reader works -- we mostly know that it's inaccessible to the outside world. Thankfully, the company has shed further light on Touch ID through statements to the Wall Street Journal. To start, iPhone owners will have to unlock with a passcode if they either reboot or haven't unlocked within 48 hours. The safeguard prevents hackers from simply biding their time while they look for a workaround, Apple says. Legitimate users will also want to keep their hands dry, as the reader doesn't work well with fingers covered in sweat and other liquids. You won't want to try unlocking immediately after running, then, but it's evident that Apple already knows many of Touch ID's real-world limitations.
Touch ID is huge for businesses and employees, but for different reasons
Apple's newly revealed iPhone 5s sports a number of improvements over its predecessor, but if there's one feature that truly sets the device apart from other iPhones (if not from all previous smartphones), it's Touch ID. The Touch ID sensor built into the home button of the 5s can read your fingerprint as an alternative to swipe-to-unlock or PIN/password entry. You can use this digital wizardry to make iTunes purchases and unlock the phone itself. This futuristic tech might be a fun tool for the average smartphone user, but the feature will truly shine when it enters the corporate scene. A big problem The business world is fighting a two-front war in the name of security: Companies are doing their best to keep information locked down (both to comply with internal policies as well as government-mandated privacy efforts like HIPAA), while at the same time corralling employees that see convenience as the only priority. Businesses large and small have relied on applications like Microsoft's Exchange ActiveSync for years to set up secure mailboxes for employees running a wide array of devices. These days, smartphones are a huge area of concern thanks to the relative ease with which they are lost (compared to a laptop, for example) as well as a user base savvy enough to find ways around the policies in question. Mobile-device management tools (like Mobileiron, AirWatch and Apple's own MDM controls in OS X Server and iOS) are an essential part of the equation as enterprises balance productivity and bring-your-own-device policies with security and corporate priorities. "Hello all," a forum post on AndroidCentral begins. "My work recently implemented a new policy where the phone must be unlocked if using the exchange server email. My issue with it is I now loose [sic] my slide to unlock to the camera or other options based on the roms. Is there any way around it?" This isn't an isolated case of an employee seeking out loopholes to company security efforts -- it's happening every day, and it's not isolated to Android. A cursory search of jailbreak apps for iOS immediately produces options for bypassing company-enforced device locks. Users who seek out these solutions aren't doing so because they want to put sensitive business information -- or their own jobs -- in jeopardy; it's just a pain to type in a four-plus digit code every time they check their email or update their corporate social network. Similarly, the businesses that implement these lockdowns aren't necessarily the ones making the call; legal and regulatory constraints, in certain fields, may take priority. The Health Insurance Portability and Accountability Act (HIPAA), for example, mandates all healthcare employees who may have patient data on their smartphones -- including names, contact info, photographs and medical records -- set up passcodes and screen time-out features to ensure sensitive data isn't leaked. An elegant solution But now, on a mainstream smartphone platform, there will be a flagship device that offers both the convenience of a one-touch unlock and an unrivaled level of security. Touch ID addresses the concerns of businesses while giving users fewer reasons to seek out workarounds, and at the moment there is quite simply nothing to rival it. It's a win / win. Or a win / win / win if you count Apple, which stands to gain a lot of fans in the business security sector. Forward thinking indeed.
A look at the iPhone 5s Touch ID fingerprint sensor
One of the biggest features of the iPhone 5s announced yesterday is the Touch ID fingerprint sensor that is used for user authentication. Rich Mogull at TechHive has written the definitive Q&A about the sensor built into the iPhone 5s, and there are some fascinating things to know about the future of mobile security. The first thing Mogull points out is that the Touch ID sensor is based on a capacitance reader, which makes use of the fact that the outer layer of your skin is non-conductive while the subdermal layer is conductive. Mogull notes that when you touch the sensor, "it measures the miniscule differences in conductivity caused by the raised parts of your fingerprint, and it uses those measurements to form an image." The ring around the sensor, which is embedded in the home button, is used to turn on the sensor and reduce signal errors. As Mogull says, the capacitance design is less easy to spoof than an optical reader (which a photocopy of a fingerprint can fool), less fragile and less prone to error due to smudged glass. Some internet wag has already created a meme that states that Apple would nab fingerprints to create a huge "name to fingerprint" database. Well, that's not possible. The fingerprint is run through an algorithm to create a fingerprint template, a mathematical representation of your fingerprint. Mogull believes that the template is then run through a cryptographic hashing algorithm and combined with a random or unique number to further scramble the data. Apple mentioned during the keynote yesterday that the fingerprint data is neither transmitted to the company nor stored on their servers. Instead, it is stored only on the iPhone 5s. Whenever your fingerprint is scanned, the phone does the same template creation and compares the result with the stored hash. Mogull points out that while fingerprints are more secure because they are impossible to guess, fingerprints and passcodes are still examples of single-factor authentication. A more secure system would require a passcode and a fingerprint. Passcodes are still required if you damage your finger or break the Touch ID sensor. As for using Touch ID with iCloud and the iTunes Store, Mogull thinks that Apple will store the passwords for those services in the iOS keychain, using your fingerprint to authorize access. OS X and iOS handle stored passwords this way, and it emphasizes Apple's comment that the fingerprint data never leaves the device. Mogull's bottom line is that Touch ID could be game-changing, in that it makes security invisible. Apple noted during the keynote that it thinks of the iPhone to be a "key," so it wishes to eventually make your phone and fingerprints be the keys to just about everything in your life. Imagine door locks or home alarms that are locked or armed with a fingerprint, or payments that can be authorized with a tap of a finger. In the long run, Touch ID might be the most important feature of the iPhone 5s and future Apple devices.
Apple publishes three videos touting the iPhone 5c, the iPhone 5s camera and Touch ID
Apple didn't waste much time yesterday in putting up video of its media event on its website. Now if you don't have time to sit through the entire presentation and aren't content with merely reading recaps, Apple on Tuesday evening uploaded three videos onto YouTube which highlight three of event's biggest announcements. The videos below were pre-produced and were shown to attendees yesterday during the keynote presentation. The first video has Jony Ive and co., set against a white background of course, detailing the work that went into developing the iPhone 5c. Next up in the batting order, we have Apple's slickly produced video highlighting the vast number of camera enhancements present in the iPhone 5s. The burst and slow-mo features are particularly exciting. Lastly, we have a video introducing us to what may very well be the flagship feature on the iPhone 5s --- fingerprint recognition.
Daily Roundup: Apple's iPhone 5s and 5c hands-on, Touch ID fingerprint scanner, Moto X factory, and more!
You might say the day is never really done in consumer technology news. Your workday, however, hopefully draws to a close at some point. This is the Daily Roundup on Engadget, a quick peek back at the top headlines for the past 24 hours -- all handpicked by the editors here at the site. Click on through the break, and enjoy.
Daily Update for September 10, 2013
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for daily listening through iTunes, click here. No Flash? Click here to listen. Subscribe via RSS
iPhone 5s fingerprint reader authentication isn't open to developers for time being
So, you know fancy new fingerprint reading home button Apple showed off for the iPhone 5s at today's event? The company demonstrated functionality for unlocking and buying stuff through iTunes. Cool, but what about third-party apps? We can imagine all sorts of neat uses not limited to buying stuff. For the time being, however, the authentication functionality is off-limits. Apple exec Phil Schiller told All Things D that the hardware won't be opened to developers initially. As to whether that functionality will be arriving in the future, Apple's not ready to say just yet.
Apple reveals Touch ID, a fingerprint sensor built into the iPhone 5s
In a move sure to delight security and privacy gurus, Apple revealed today at its iPhone event that the all-new iPhone 5s features a fingerprint sensor built into the home button. The technology is built into a ring around the home button that can scan sub-epidermal layers of your skin in order to identify you without the need to a passcode or other more archaic security measures. But beyond just allowing you to access your phone, Touch ID can be used to verify things like iTunes purchases without a password. Apple claims that the process of setting it up is super simple, and given the fact that it is a biometric sensor, it's certainly more secure than your mother's maiden name. To further please security advocates, Apple confirmed that the data is never stored on Apple's servers or backed up in the cloud -- it's all saved only to the device in your hand.
iPhone 5s fingerprint sensor called Touch ID, recognizes your thumb on the Home button: here's how it works and what it does (video)
Apple's brand-new iPhone 5s isn't dramatically different from last year's model, but it has at least one major addition: a "Touch ID" sensor. Us human beings are calling it a fingerprint sensor, and it's built into the phone's main Home button below the screen. Apple's Phil Schiller says, "It reads your fingerprint at an entirely new level" -- it's 170 microns in thickness with 500 ppi resolution. According to Cupertino, it "scans sub-epidermal skin layers," and can read 360 degrees. As expected, the sensor is actually part of the Home button, making it less of a button and more of a...well, sensor. Using Touch ID, users can authorize purchases in iTunes, the App Store, or in iBooks by simply using their thumbprint (starting in iOS 7, of course). Pretty neat / scary! As rumored, the sensor uses a laser cut sapphire crystal cover; it retains a tactile input for those wary of the sensor wearing down after lengthy use. The sapphire crystal, acting as a lens, takes a highly detailed image of your fingerprint, which Apple says is "never stored on Apple servers or backed up to iCloud." According to Apple's official PR on the new phone, Touch ID's fingerprint info is "encrypted and stored securely in the Secure Enclave inside the A7 chip" (the A7 chip is the new processor at the heart of the 5s). Apple hasn't made clear whether Touch ID allows for multiple users on a single iPhone or not, nor has the company said whether you could turn off fingerprint authentication (though we have to presume the answer is yes given previous authentication standards on the iPhone). The fingerprint ID technology was long rumored as heading to 2013's iPhone following Apple's acquisition of Authentec last summer. A render of the iPhone 5s outed the new functionality's name just this week. We'll have more on Touch ID in our upcoming hands-on live from Cupertino, and you can find all our Apple event coverage from today right here. Update: Here's Apple's take on its Touch ID sensor -- video right after the break. Check out all the coverage at our iPhone 'Special Event' 2013 event hub!
