5s TouchID - How do you use it? (Tips for slightly more secure use)

[parseckadet]

After reading all of this I'm still left wondering one thing. To what end? One rule of security that I've always assumed is "Physical access equals root access." No matter what security measures you use, anyone with unlimited time and resources will eventually gain access to your data. Any data on a device that leaves your home or office, especially one that is as easily taken as a phone, should pretty much be considered already stolen.

Instead of coming up with obscure ways to game Touch ID to make it just that much harder to get around, your energy would be better spent asking yourself "What data do I have on my phone that I would not want someone gaining access to?" Once you answer that question, you should delete that data from your phone. It's as simple as that.

Now, where improved security can help is for those times when someone takes your phone, accesses data, and then tries to return it to you before you notice that it's gone. In this scenario the miscreant has only limited time. Most likely a few seconds or minutes. The only method I've seen to get around Touch ID requires munch longer than this scenario allows, and thus is not a concern.

 

[840quadra]

After reading all of this I'm still left wondering one thing. To what end? One rule of security that I've always assumed is "Physical access equals root access." No matter what security measures you use, anyone with unlimited time and resources will eventually gain access to your data. Any data on a device that leaves your home or office, especially one that is as easily taken as a phone, should pretty much be considered already stolen.

Instead of coming up with obscure ways to game Touch ID to make it just that much harder to get around, your energy would be better spent asking yourself "What data do I have on my phone that I would not want someone gaining access to?" Once you answer that question, you should delete that data from your phone. It's as simple as that.

Now, where improved security can help is for those times when someone takes your phone, accesses data, and then tries to return it to you before you notice that it's gone. In this scenario the miscreant has only limited time. Most likely a few seconds or minutes. The only method I've seen to get around Touch ID requires munch longer than this scenario allows, and thus is not a concern.

Great post and points!

The current method for workaround for TouchID is clearly highly involved. That said, like any workaround, if one is found, a faster, more streamlined method is a possibility. As far as effort going into setting up a phone for a single print, None of the steps I outline require much time, or extra energy, I only posted this to put people in the mindset of security.

The only thing that would take effort (if people chose to do so), would be to analyze how they hold their phone, in an attempt to program TouchID with a less commonly used finger, or portion of it. This could easily be done in 30 seconds of paying attention to how one holds their phone in either hand. There is no need to record a video of yourself, I just happened to have one to review. (I created a Video review of the iPhone 5s for a class I am currently in).

As far as additional security, I already do practice much of what you have mentioned and can fully support your advice.

- no accounts are linked to this phone that can gain access to others
- This phone is not part of any 2-Step authentication method to gain access to other objects in my digital life.
- This phone does not contain much PII, that could be used to access anything of value.

I have asked the question you have asked me, to many of my clients, and friends who store such personal information on their phones. I can think of few examples of people storing passwords, account numbers, CC #s, and even passwords in mobile applications, or within cleartext notes on their smartphones.

 

[Jman13]

For me, TouchID means better security for me because I now have my phone lock instantly, whereas before, I only tolerated a passcode on a 15 minute delay. My passcode is now complex instead of simple, so that's better too.

But the reason I don't worry is that even if I do have a clean print left on the phone itself, by the time a thief is able to lift the print and create a false finger realistic enough to fool the sensor, I'll have noticed my phone is gone. I will have, rather quickly, put my phone into lost mode via find my iPhone, which then requires the passcode anyway.

And, since most thieves know you can track an iPhone that is powered on, most will want to shut it down so they can't be tracked. Once that's done, the passcode is also required. Basically, I don't see anyone lifting a print and defeating TouchID in real life, unless the phone isn't noticed missing for a day or two...and even then, you'll have needed to leave a perfect print and have the thief know how to defeat it.

In other words, it ain't gonna happen.

 

[tworth23]

Op really

Your're in another world OP if you think that the NSA is going to get your fingerprints!! Come one, really? You people that are so concerned about the fingerprint security have to GROW UP and realize that the NSA couldn't give a **** less about your fingerprints. STOP IT ALREADY and just use the god damn phone. SHEEEEESH!!!!!

 

[panzer06]

snip

What hassle? I touch my finger to my phone, and it unlocks. I just put a little more thought into how I use it than the average person.

snip

Having to side position my finger is a hassle for me. My brain would start hurting if I had to remember the side touch from only one finger. I like that I can pick the phone up with either hand and almost immediately open it without much thought.

Interesting and amusing thread tho. Thanks

touch ID worked great for me for the first few days -- and now I find I read "try again" on my phone more than anything else. Has this happened to anyone? It has gotten to the point where I don't even bother using it anymore, because typing in my passcode (which is 1-2-5-3, by the way. see how useless that information is for you?) is far easier.

Anyone?

Still works great for me. I enrolled 3 fingers and the phone is so much easier to use now that I don't have to put in the passcode every few seconds.

Cheers,

 

[Carlanga]

touch ID worked great for me for the first few days -- and now I find I read "try again" on my phone more than anything else. Has this happened to anyone? It has gotten to the point where I don't even bother using it anymore, because typing in my passcode (which is 1-2-5-3, by the way. see how useless that information is for you?) is far easier.

Anyone?

I have tracked down your IP and locate your MAC address, I'm going to send a WIFI ping to find where are you calling from and also will wait for someone w/ a 5S around the radar area ready to strike lol But, in reality the bad thing about the basic passlock is that anyone near you can memorize faster w/out you even realizing it, especially in crowded places, now w/ touch-id, there is no way for them to see it while out and about. My touch-id is working flawlessly, I think you need to reteach the fingerprints to your various finger positionssss.

 

[Jason1978]

View attachment 439779
5- Adopt the touch and slide method
Clearly, whatever portion of your finger you decide to use for TouchID ,will leave a clear fingerprint on the sensor. Getting in the habit of sliding your finger off the sensor (and device) after the phone unlocks, helps prevent a clear fingerprint from staying behind.

6- Use Complex Passwords
With the addition of TouchID, the need for typing a passcode into your iPhone is greatly reduced. Why make it easy for people to get in with a simple 4 Digit pin, if they don't have access to your fingerprint .

Despite working in IT, I don't consider myself a security expert, and am open to adding further suggestions from those that are .

A little paranoid are we? I think the chances of someone using CSI material on your fingerprint reader just to get into your phone are kinda slim LOL But I guess you can never be to careful. I personally don't have the phone yet but when I do I will feel that it is pretty safe.

 

[sucka free]

This thread needs to be re-named
"Foolproof way to keep you're wife/gf/psycho ex-gf from hacking your touch Id"

Because I can't think if anyone else that Would go to those kind of lengths to see what's on a guys phone.

I'm resigned to the fact that If the illuminati is after me and wants my data, they are going to get it.

I appreciate your in-depth analysis, I think by nature you IT guys are just overly neurotic and paranoid. Maybe it was too much spy vs. spy as a kid who knows.

 

[840quadra]

<snip>
I appreciate your in-depth analysis, I think by nature you IT guys are just overly neurotic and paranoid. Maybe it was too much spy vs. spy as a kid who knows.

Neurotic? Thanks I guess.

I guess having a career of fixing other people's issues, or data loss makes us IT folks look a bit more closely at ways of protecting our own data.

Your're in another world OP if you think that the NSA is going to get your fingerprints!! Come one, really? You people that are so concerned about the fingerprint security have to GROW UP and realize that the NSA couldn't give a **** less about your fingerprints. STOP IT ALREADY and just use the god damn phone. SHEEEEESH!!!!!

I fail to see where NSA was mentioned in any of my posts.

My fingerprints are all over the place, all over my laptop, my car, doors at work, restaurants, elevators, and even my iPhone. I just thought about ways to make it a little more difficult to use any of them to access TouchID.

This thread is posted as a tip for people that are like minded, and open to everyone else's opinion. This isn't a directive, an order, or a demand for people to comply. Use your phone as you like, just like everyone should.

Posted as an adult, without resorting to insults.

A little paranoid are we? I think the chances of someone using CSI material on your fingerprint reader just to get into your phone are kinda slim LOL But I guess you can never be to careful. I personally don't have the phone yet but when I do I will feel that it is pretty safe.

Agreed,
As it stands now, the process of making a fingerprint copy is a bit extensive. That said, like I mentioned before, once a hole is found, quicker and easier methods are often created to take advantage of that hole. I hope that isn't the case, but the phone and TouchID hasn't even been out for that long yet.

 

[sucka free]

IT has me logging in 8 times with different passwords that expire after 30 days just to get the pleasure of doing my job.

So yes, I can legitimately say they are a little neurotic and paranoid

 

[840quadra]

IT has me logging in 8 times with different passwords that expire after 30 days just to get the pleasure of doing my job.

So yes, I can legitimately say they are a little neurotic and paranoid

I can apply labels to end users too, but I don't as a practice.

In most cases, IT reports to other groups, including Legal. If the corporation has, or is seeking Certifications for items such as SAS 70, SAS16, ISO, and the likes, those entities will require your corporation to follow the password rules you dislike.

In the end, I am with you, I hate password requirements such as the ones you complain about. I have to deal with them too.