Fingerprinting offers no new security

[jrswizzle]

As far as I am aware the A7 chip is not a memory (file storage) chip, it's a CPU. So the fingerprint data can't be stored on there. If it was, and you switched your phone off - BOOM you'd loose your fingerprint data!

I guess they are storing the fingerprint data in a secure encrypted space in the main Flash memory which the system limits access too. That said there must be some access as the system and the Apple store seem to be able to communicate with it and if the system can access it...

I plan on watching the keynote again, but I remember them pulling a spot on the A7 where the fingerprint data supposedly resides.

I'm well aware the SoC is not a storage medium.

 

[bozzykid]

Here is the deal, create a more secure 6 digit password which is infinitely more secure then the standard 4 digit (numbers only) password that most people use on the iPhone.

Technically it would be 100x more secure not infinitely more secure.

----------

The more obvious method would be to lift your print off a cup or something you used, scan that and use to enter the iPhone.

Have you never used a fingerprint scanner? That would never work.

----------

The point of a fall back is if it's it's my 12 year old daughter's iPhone I'd need access to it. I'm guessing it won't store multiple finger prints so the passcode is so I can access it. Same thing if my wife wants access to my phone. I've given her my passcode and she has access now so there needs to be a fallback, even if it worked 100% of the time.

You can certainly store multiple fingerprints (otherwise you couldn't set it up to work with multiple fingers. Although, I would question teaching it fingerprints from multiple people. It seems that could increase the chances of a false positive. Since no one has these yet, no one really know how tolerant they have set the scanning to be.

 

[rovex]

Gimmick.

Even siri's better than this.

 

[bozzykid]

Gimmick.

Even siri's better than this.

Huh? They are two totally different features. It's not a gimmick to have your phone be secured and not have to enter a passcode every time you unlock it. My guess is the number of people securing their phone is going to grow tremendously because the hassle factor will be gone.

 

[aristobrat]

As far as I am aware the A7 chip is not a memory (file storage) chip, it's a CPU. So the fingerprint data can't be stored on there. If it was, and you switched your phone off - BOOM you'd loose your fingerprint data!

Right, so there's that thought, and then there's the video Apple's running where they're specifically stating that the fingerprints are stored in a "secure enclave" on the A7.

During the video, they even go as far as to highlight the physical area on the A7 where they say its stored. (yellow arrow = my emphasis ... the white box around the A7, and the smaller box in the top left quad is Apple's)

http://www.apple.com/iphone-5s/videos/

 

[Interstella5555]

Once physical access occurs no security can really do anything. People get all excited about something they think is new (fingerprint scanners have been in computers for a long time now) and then get wild passionate about how "nothing is being done" with this "amazing new tech." I shouldn't be surprised after the multiple iteration of 3D I've seen in my life, yet here we are paying $15 for a matinee movie ticket.

 

[TheKrs1]

But you can't prove it either than NSA doesn't have backdoor access to your fingerprint. We'd just have to believe Tim's word for it and they already lied about it once in the past. You also can't prove the fingerprint reader isn't hackable.

So the safest option is not to use fingerprint scanners.

A) Yes, I'm sure we can prove it. Once it is out in the wild, I'm sure the Jailbreak community is going to push this to the extreme. We can also monitor the data traffic the device uses. Does it increase if a fingerprint is stored?

B) Also, what the hell are you guys storing in your phones? If you are worried about back end access for the NSA, do you not think they already have your financial institution? What about the reports I have heard about them being able to activate the microphone at any time in Androids?

C) For those worried their fingerprints will get into the wrong hands... What do you honestly think someone would use this for? I heard "Frame me for Murder" earlier? If that is the case, can we please consider the fact that it would be much simplier for them to: lift your fingerprint off of any item you touch throughout the day, have the fingerprint analysis lab lie and swap the evidence, or simply ignore the whole setup and just kill you?

 

[iAlphard]

Gimmick.

Even siri's better than this.

Nope, this is better than siri, alot better.
You don't need to type your password anymore whenever you want to download or buy an app. Very convenient.

 

[TheKrs1]

Once physical access occurs no security can really do anything. People get all excited about soemthing they think is new (fingerprint scanners have been in computers for a long time now) and then get wild passionate about how "nothing is being done" with this "amazing new tech." I shouldn't be surprised after the multiple iteration of 3D I've seen in my life, yet here we are paying $15 for a matinee movie ticked.

True, but I would say that Apple's implementation of this "amazing new tech" (if it works as advertised), is pretty awesome. My fingerprint reader on my work laptop has been here for years, but IT won't enable it because it's too unreliable. My fiance's mom's laptop has a reader, but photo's of the print can fool it.

That might be the "amazing" part.

 

[aristobrat]

Reports are showing that you must have a passcode in order to use Touch ID, and after a certain number of unsuccessful attempts at authenticating by fingerprint, you can still unlock the phone by passcode. If this is true, then the fingerprinting is only for convenience sake (which would still be nice). But I'm a little disappointed that it isn't more secure.

So if iOS didn't fall back to the passcode, if you ever dropped your phone and broke the fingerprint sensor, you'd never be able to get back into that device.

Passcodes can be secure, but IMO most people use insecure 4-digit passcodes simply because it takes too long to type in a more secure passcode 50x a day.

For all we know, when you setup an iPhone 5s, Apple may require you to pick a COMPLEX passcode, like they require with their Apple IDs. Who knows.

But not having some method to access a device if the Touch ID fails seems totally crazy, IMO.

 

[scaredpoet]

The guys at NSA are all wetting their pants with this new stash of fingerprints.

If the NSA wants your fingerprints, all they need to do is send a local yokel to dust ANYTHING you've touched. Your desktop/laptop keyboard, your car door, the front doorknob to where you live... the entire surface of your locked phone.

Making Apple build fingerprint scanners into their phones is very much the hard way to do this.

And you still haven't answered the fundamental question: what can the NSA do with your fingerprint that they can't already do now?

 

[iPadPublisher]

Reports are showing that you must have a passcode in order to use Touch ID, and after a certain number of unsuccessful attempts at authenticating by fingerprint, you can still unlock the phone by passcode. If this is true, then the fingerprinting is only for convenience sake (which would still be nice). But I'm a little disappointed that it isn't more secure.

Anybody know anything to the contrary? Or is this true?

Either way, this is adding a layer that didn't exist before. I'd hope that you can choose to opt-out of the fallback, but I don't think anyone knows that yet.

 

[Italianblend]

I have a question:

If your fingerprints are stored on the A7 chip, and you sell your phone to someone else, they can theoretically access that information, right? I mean, they can dissect the phone and somehow get that info out of it.

 

[iPadPublisher]

The guys at NSA are all wetting their pants with this new stash of fingerprints.

Highly doubtful, since the fingerprints don't leave the phone. If they want to run around and collect prints out of everyone's phones, they'd also be out running around collecting prints off everyone's car door handles, Starbucks cups, and so on.

More importantly, though, a lot of people's fingerprints are already in "the system" somewhere anyways, i.e. Passport Applications, Security Clearances, Concealed Weapons Permits, etc. Shoot, California has been taking thumb prints for driver's licenses for nearly 20 years now.

While I may not be happy about it... the chances are... my prints are up for grabs anyhow.

----------

I mean, they can dissect the phone and somehow get that info out of it?

Sure, its possible in theory. Those with the capability to go through all that work, though, have many other ways to get your fingerprint(s) that would cost tons of time and effort less, most of which are in-detectable to you. Your gutted iPhone 5S laying on the table, minus its A7 chip would be a surefire sign that something rather nefarious has taken place.

 

[OneMike]

The point of a fall back is if it's it's my 12 year old daughter's iPhone I'd need access to it. I'm guessing it won't store multiple finger prints so the passcode is so I can access it. Same thing if my wife wants access to my phone. I've given her my passcode and she has access now so there needs to be a fallback, even if it worked 100% of the time.

As others have said it does store multiple fingerprints so no, that's not correct.

Unless you can opt out of a fallback, the entire fingerprint system wouldn't make sense to me.

 

[bozzykid]

I have a question:

If your fingerprints are stored on the A7 chip, and you sell your phone to someone else, they can theoretically access that information, right? I mean, they can dissect the phone and somehow get that info out of it.

Why would you sell your phone without wiping it first? Sure, if you give your phone to someone without wiping the data, then they could theoretically access it. How does having fingerprint data make that any easier?

 

[notjustjay]

I guess they are storing the fingerprint data in a secure encrypted space in the main Flash memory which the system limits access too. That said there must be some access as the system and the Apple store seem to be able to communicate with it and if the system can access it...

No.

Think of it like this. Imagine you live in a gated mansion and you're training a security guard to allow only certain people in. You show the security guard a photo of a person, and he memorizes some details. Let's say for the sake of this discussion that people, like your fingerprint, never change their major pertinent details. He memorizes a number of them: White, male, mid-30's, 5'11", wears Nike shoes, parts his hair on the left, gold earring on right ear, tattoo of a fish on his neck, wears a nametag and the third letter is "r".

Now your security guard is trained to recognize this person and let him in based on observing those attributes. Assume we picked up enough points that there is virtually no other person on the planet who would fit that exact description. You can show him photos of people and he will be able to say "yep" or "nope". But he does not share WHY he knows if it's you or not.

This is how the chip works. The interface into it basically allows the software to say "hey, yes or no?" and the chip does whatever it does and says yes or no. It does not spit out its notes. And it doesn't know enough to recreate much, just like your security guard doesn't have enough information to regenerate a photo of you to steal your identity or pass on to the NSA.

 

[Hankster]

It offers a great deal of "new security" for people like me who can't be bothered with the inconvenience of a lock screen passcode each time.

I don't mind a passcode as a fallback exception though if something goes wrong. That makes perfect sense.

Oh, my Lord. You must be a very important person if you can't spend 1-2 seconds inputting a four digit passcode.

----------

Nope, this is better than siri, alot better.
You don't need to type your password anymore whenever you want to download or buy an app. Very convenient.

How is saving 3-4 seconds of time better than an artificial intelligence program??? Wow.

Also, "a lot" is spelled "a lot", not "alot".

 

[cynics]

Fingerprinting offers no new security

For people saying, "what can NSA/people do with your finger prints that matters?" Please just stop, I'm having flash backs of the similar people saying that about social security numbers.

Plus to say that you have no vision or imagination what so ever. Do you really think using finger prints is going to just stop at the iPhone? Really? You NEVER think you'll walk into a bank (or some place similar) and just have your print scanned?

You probably say to yourself when you hear of identity theft "well you should have been more careful with your SS# or whatever".....that's you right now!!!

Just saying, I'm not a security/privacy nut but I see the past in all this.

 

[BHP41]

There is so much fail in this thread. SMMFH

Some of you need padded rooms, not smartphones.

 

[12vElectronics]

Hmmm people seem to think they're more important than they actually are.

 

[bozzykid]

Oh, my Lord. You must be a very important person if you can't spend 1-2 seconds inputting a four digit passcode.

That is precisely why most people don't use passcodes. With the fingerprint scanner they will be much more convenient and will lead to more people securing their devices.

 

[cynics]

We've gotten way off topic (admittedly myself included).

The OP was about whether a FP sensor makes the iPhone more secure. The answer is yes and no. As pointed out people that don't use a passcode or use 4 pin codes can now use a long passcode and not be inconvenienced by being required to enter it. Thus a more secure phone.

For those that already use a long passcode a FP sensor is now another means of entry and technically makes your phone less secure.

Taking that one step further though it depends on the type of theft. If its from someone looking over your shoulder to get the code well they are SOL.

Too me this is more for convenience then anything.

 

[woodynorman]

The guys at NSA are all wetting their pants with this new stash of fingerprints.

Huh? What are they going to do with my fingerprint anyway?? Frame me for some crime I didnt commit?

I'm a good boy and obey the law (for the most part) . I just dont understand what you people think the NSA is gonna do with your prints, if they could get them from Apple...

 

[bigjim83]

It offers a liability. Someone could hack your device, get your fingerprint and use it to frame you for a murder.

Also we are suppose to believe that Apple doesn't store it on their server. We have to believe their word for it. That there already seems iffy to me. Didn't they give the NSA backdoor access? By buying this phone you ultimately give up your biometric and other personal data which can be used against you in the future.

I could care less, I used to work in the security field so the government already has my prints! I feel bad for you all who are so important that the government will frame you.