Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iSunrise

macrumors 6502
May 11, 2012
382
118
What if a phishing scam convinces you to enter in your fingerprint and now they have that data. Couldn't that information now be used to hack all of your accounts. Not to mention you can't change the data of your fingerprint like you can with a password. It seems like you are now forever vulnerable. Any thoughts? Am I mistaken?
No, you´re not mistaken. That´s only one of the potential risks.

If it´s like current Apple technologies, Apple will provide an API that handles the I/O and encrypts/decrypts your fingerprint data, so potentially, that API could always be misused. Personally, I would only use this feature if Apple provides me with enough information that tells me how exactly they are encrypting and storing these fingerprints. They also need to provide info that no one else other than me can access and decrypt it.

Apple has hopefully cleared the use of the fingerprint sensors with countries that are in the EU, especially Germany. Also, if you introduce fingerprint sensors into your products, there must be an option to turn that sensor off and everyone that enables that features needs to be informed about the potential risks.

The vast amount of people have absolutely no idea how much security problems could arise with this. Young people nowadays grow up with the notion that personal data doesn´t need to be protected, they give all their personal data to facebook, twitter, google, etc. and are just stupidly naive. Now, companies also get access to fingerprints. Where does it stop?
 
Last edited:

Rossatron

macrumors 6502a
Nobody said that your finger print HAS to be stored at any sort of database. If, indeed, it would work with 1 way encryption and 2 keys, your finger print will only be needed locally, on your device to validate your public key.

What I think will come out of it, is users who wish so to do, could register with fingerprintsRus, which in turn generate a two key set for each individual, based on their finger print. The finger print and the private key will both be stored on your phone (encrypted, of course). When you want to pay for something, you swipe your finger, the phone compares it to the private key locally and if, and only if, they match, you validate your public key with which you pay.

Think your keys were compromised? No problem. Just call them like you would if it were your credit card and after the identify you, they issue a new set of keys. And the old set? It's now useless because the public key it had to authenticate against is no longer in existence, making the print stored at a stolen iPhone, useless.

Come on people, open your mind -dare I say - to a good outcome from the matter. Yes, it could be implemented badly. But who said that it will? Maybe something more along the lines I portrayed here will be implemented?
 

iSunrise

macrumors 6502
May 11, 2012
382
118
Nobody said that your finger print HAS to be stored at any sort of database. If, indeed, it would work with 1 way encryption and 2 keys, your finger print will only be needed locally, on your device to validate your public key.

What I think will come out of it, is users who wish so to do, could register with fingerprintsRus, which in turn generate a two key set for each individual, based on their finger print. The finger print and the private key will both be stored on your phone (encrypted, of course). When you want to pay for something, you swipe your finger, the phone compares it to the private key locally and if, and only if, they match, you validate your public key with which you pay.

Think your keys were compromised? No problem. Just call them like you would if it were your credit card and after the identify you, they issue a new set of keys. And the old set? It's now useless because the public key it had to authenticate against is no longer in existence, making the print stored at a stolen iPhone, useless.

Come on people, open your mind -dare I say - to a good outcome from the matter. Yes, it could be implemented badly. But who said that it will? Maybe something more along the lines I portrayed here will be implemented?
That sounds like a good solution, actually. It´s like PGP/OpenPGP but with a fingerprint, instead of actual random data and a password. It´s still up to discussion though if Apple does a backup of that, when you´ve activated iCloud backup.

Let´s reserve further judgement until we know more about it. It could be a great feature if implemented right. You would think that they ironed out everything (Authentec should have taken care of that, even before Apple bought them) before they make it a mass-market feature.
 

rGiskard

macrumors 68000
Aug 9, 2012
1,800
955
I wonder who the second largest technology provider in Cupertino, Calif. would be. :D

Heh. I'm interested in how long it is until someone figures out a way to hack a person's iPhone using fingerprints left by that person in some public place. Lift the print off a cup left at some cafe, use it to somehow create a replica finger, and voila, instant paypal account access.

Admittedly it would be more sensational to snip off a finger at the time of the iPhone theft, but lifting the prints and creating a 3D finger hack would be cooler, and much harder to trace. A bleeding stump would probably alert the mark that it's time to change their passwords or limit fingerprint access to their accounts.

----------

You don't have to use your finger. You can use your toes or other parts of the body.

Image of a thief hacking off parts one by one to see which it is, lol.
 

marksman

macrumors 603
Jun 4, 2007
5,764
5
On the patent they filed it shows a diagram to the right of the home button of a "hidden" below the surface fingerprint sensor that only becomes visible momentarily as it is being used.

----------



Don't you think it would then default to your actual password (which will clearly still be an option for the small amount of people that are burn victims or simply have issues with the technology)?

----------



I believe that Apple entered into an agreement with Australian biometric security firm, Microlatch for the specific reason- that they have a protocol that meets the security requirements of all of the world banks and does NOT require an external housing of fingerprints for verification. (that is to say, the comparison is done LOCALLY on the device & Apple would NEVER have your biometric information).
Yeah it seems like quite a few people do not understand how this would work.

It does not require remote verification of the fingerprint. The fingerprint need only to be recognized on the mobile device and then trigger authorization with the remote site. Besides common password links, there will undoubtedly be more secure authentication paths available to work with various sites for stricter authentication.

It is not like I will be able to pick up your phone and login to my sites. I would have to use my phone. Your phone would have no way to verify my fingerprint.

I get the impression people think this data is being delivered to remote sites for authentication. It will not be. Someone would need both my device and me to access my accounts.

----------

What if a phishing scam convinces you to enter in your fingerprint and now they have that data. Couldn't that information now be used to hack all of your accounts. Not to mention you can't change the data of your fingerprint like you can with a password. It seems like you are now forever vulnerable. Any thoughts? Am I mistaken?
Yes you are mistaken. Your fingerprint data is not going to be transmitted anywhere.
 

coolspot18

macrumors 65816
Aug 16, 2010
1,051
90
Canada
Voice Biometrics is probably a better choice. Non special hardware needed and is compatible with all mobile phones. Accuracy is very good too.
 

topper24hours

macrumors 6502
Jul 27, 2012
352
0
Voice Biometrics is probably a better choice. Non special hardware needed and is compatible with all mobile phones. Accuracy is very good too.

Voice is a handy addition to controlling a device, as a biometric.. maybe not so good...
"Please speak aloud your pass phrase now.
Umm.. myfavoriteponyisfluttershy.
Please repeat... I did not get that.
My favorite pony is fluttershy...! Ok?
*awkward stares in bank*
Access to voicemail granted"
=P
 

maxosx

macrumors 68020
Dec 13, 2012
2,385
1
Southern California
Several models of ThinkPads have been equipped with finger print scanners, for years. My first hand experience has been quite satisfactory. I'm surprised Apple has waited this long to give it consideration.
 

BvizioN

macrumors 603
Mar 16, 2012
5,701
4,819
Manchester, UK
Then they'll take live fingers..meaning the person...hostage, etc...

Apple will get blamed for something with this...trust me.

Seriously, you people....

To start with, I don't know why someone would be dying to get into your iPhone. iPhone's usually are stolen or people are mugged for the sole value of the phone and not for what information does contain inside.

And second, if they have you a hostige for whatever "DA VINCI CODE" you may have inside it, it would be just as easy for them to get the pasword out of your brain as cuting off your fingers.
 

Solomani

macrumors 601
Sep 25, 2012
4,785
10,477
Slapfish, North Carolina
I'm all for a security solution that goes above and beyond passwords (bothersome since we have to remember dozens of passwords and dozens of user IDs).... but fingerprint technology as it exists in the market today is CRAPTASTIC.

I'm opining from experience since the USA's largest fitness chain (24-Hour Fitness) has embraced fingerprint scanner entry on all their gyms, they got rid of membership ID cards in the past year. The fingerprint scanner only works 50% of the time for me on a good day. I have to keep swiping it 4 or 5 times before it recognizes my fingerprint. I'd like to blame it on all the sweaty dirty fingers of the gym members that used the scanner before me. But methinks that fingerprint scanners (and the algorithm tech they currently use) really are crap. Maybe they will be solidly reliable in 7-8 years. Here's to hoping that someone (Apple or whoever) does lead the charge for improving on the current situation.
 

flux73

macrumors 65816
May 29, 2009
1,019
134
Several models of ThinkPads have been equipped with finger print scanners, for years. My first hand experience has been quite satisfactory. I'm surprised Apple has waited this long to give it consideration.
The iPhone is only 5 years old. Also, the timing is probably only ripe now for mobile payments - Apple needed a critical mass of users and scanners/NFC reader technology needed time for maturation.

I'd also imagine it's quite a bit more difficult to get a fingerprint scanner into a phone than a notebook computer, especially in a manner that suits Apple's aesthetics.
 

MacConvert

macrumors newbie
Dec 28, 2006
26
0
Seattle, WA
It doesn't matter, the phone doesn't work with dead fingers.

It may not work on dead fingers, but if you make a duplicate of someone's fingerprint(s) and somehow attach it to your finger, it would pass the 'is it dead' test. The only 'difficult' thing would be what type of material can be attached to the top of your finger that would still trick the fingerprint sensor into thinking it's the real finger.

Fingerprints alone aren't sufficient as a security measure - they must be combined with a password to be effective.
 

bbeagle

macrumors 68040
Oct 19, 2010
3,539
2,972
Buffalo, NY
It's not negative. It is certainly one of the Use Cases that every vendor will have to have a solution for, in addition to allowing users to authorize others to use, say in an emergency or handing your phone over to wife, because the call is actually to her or your driving, or any other reason.

It DEFINITELY IS negative.

I guess you should be criticizing phone manufacturers because you can't take the phone in the shower with you. That's a use case they don't allow either.

Here's an example just as loony as what you described:
Say that you're in an emergency, you're passed out and your leg is bleeding, you need gauze. You're at the store. The only 'money' is YOUR ATM card. Nobody else knows the PIN to your card, nobody else can buy the gauze to save your life because the ATM card is locked to you. You'll die now. ATM card manufacturers should have thought about this and created a way for others to use your card, right? *sigh*
 
Last edited:

hayesk

macrumors 65816
May 20, 2003
1,459
101
Queue up the new stories blaming Apple of people getting their fingers cut off for access to their devices when they are stolen. Here come the Hollywood movie scenes...whenever people need some bio access...

Why? You could just reset the phone and put your own fingerprint in.

It doesn't matter, the phone doesn't work with dead fingers.

The fingerprint sensor might. The ones on Thinkpads work with silicone facsimiles.

This is not where the security flaw lies. The security flaw lies in the collection and transmission of the fingerprint data to the authenticator. Do they all go through a central authentication service? Do you trust them? Or if they don't go through a central service, do you trust app developers to properly encrypt your fingerprint data to protect it from hackers? Or the app developer themselves? Once your fingerprint profile is compromised, then what?
 

coolspot18

macrumors 65816
Aug 16, 2010
1,051
90
Canada
voice, of all things? and what if you have a sore throat?

It still works, a cold or sore throat doesn't influence the base factors of your voice print.

As you use the voice print more often (i.e. every day?) it can adapt to changing parameters - at least with more advanced voice biometrics engines.

----------

Voice is a handy addition to controlling a device, as a biometric.. maybe not so good...
"Please speak aloud your pass phrase now.
Umm.. myfavoriteponyisfluttershy.
Please repeat... I did not get that.
My favorite pony is fluttershy...! Ok?
*awkward stares in bank*
Access to voicemail granted"
=P

Voice biometrics has an extremely high rate of success. Unlike automatic speech recognition, it doesn't need to understand the words. What it needs is the intonation, speed, pitch, etc. to match with your profile.

In fact, many voice biometric engines support static and dynamic text options. With static text, you repeat a common passphrase, i.e. "Let me in" which all users will use. Based on your voice, it can determine if you are indeed who you are.

With dynamic text, it can ask you to speak something unique, i.e. the date, your name, etc. to ensure the audio isn't pre-recorded.

So yes, voice biometrics will work quite well in a mobile environment - definitely cheaper than a finger print reader and totally possible with today's technology and phones.

----------

And if you're in a public place, like a Starbucks??

There's actually passive voice biometrics technology that can determine who you are as you talk - i.e. when ordering. So as you talk to the barista for your order, it can authenticate you. Only if it fails, then it can resort to a fall back method.

Voice biometrics can work for many applications at a much lower cost than finger print reader, since no specialized hardware is required except for a microphone.
 

aliensporebomb

macrumors 68000
Jun 19, 2005
1,907
332
Minneapolis, MN, USA, Urth
But

But utterly useless when connecting to corporate legacy systems. Ask any windows support rep how well fingerprint authentication works when connecting to a Microsoft Active directory network. Word: it doesn't.
 

smoledman

macrumors 68000
Oct 17, 2011
1,943
364
I'm all for a security solution that goes above and beyond passwords (bothersome since we have to remember dozens of passwords and dozens of user IDs).... but fingerprint technology as it exists in the market today is CRAPTASTIC.

I'm opining from experience since the USA's largest fitness chain (24-Hour Fitness) has embraced fingerprint scanner entry on all their gyms, they got rid of membership ID cards in the past year. The fingerprint scanner only works 50% of the time for me on a good day. I have to keep swiping it 4 or 5 times before it recognizes my fingerprint. I'd like to blame it on all the sweaty dirty fingers of the gym members that used the scanner before me. But methinks that fingerprint scanners (and the algorithm tech they currently use) really are crap. Maybe they will be solidly reliable in 7-8 years. Here's to hoping that someone (Apple or whoever) does lead the charge for improving on the current situation.

That's because whatever they're using isn't AuthenTec. There is a reason Apple bought that company. I guess their fingerprint recognition accuracy is near 100%.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.