iPad Touch ID or Passcode?

Discussion in 'iPad' started by XYpal, Oct 31, 2014.

  1. XYpal macrumors newbie

    Joined:
    Oct 21, 2014
    #1
    Is Touch ID "safer" than passcode on IPad Air 2? What are you guys using? Is it harder to hack Touch ID vs Passcode? I assume the print is stored on ICloud, too. I'm just curious. Any opinions?
     
  2. Devyn89 macrumors regular

    Devyn89

    Joined:
    Jul 21, 2012
    #2
    Fingerprint is great and much more secure, someone can't really see and copy your fingerprint over your shoulder. As far as I know the fingerprint is stored exclusively on the device and not on iCloud.
     
  3. SandboxGeneral Moderator

    SandboxGeneral

    Staff Member

    Joined:
    Sep 8, 2010
    Location:
    Orbiting a G-type Main Sequence Star
    #3
    If you use Touch ID, you also have to enable the passcode as well. I use the Touch ID and it's very convenient and secure to use.
     
  4. Closingracer macrumors 68020

    Joined:
    Jul 13, 2010
    #4
    I use touch id since I find it so much easier while not hindering me to get to my home screen which is why I tend to avoid pass codes.
     
  5. radioking macrumors regular

    Joined:
    Nov 5, 2012
    #5
  6. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #6
    No. It was shown that a determined and well equipped adversary can bypass Touch ID using a fake finger if they can somehow obtain a clean fingerprint of the owner. E.g. the FBI will be easily able to do this if you have ever been fingerprinted, or a thief could get lucky and find a good print somewhere on the phone.

    A good (i.e. unguessable and too long to brute force) passcode is very difficult to crack on recent iOS devices. The problem is that good passcodes are not very practical. That's really were Touch ID comes in: It makes it practical to use long and complex passcodes since you don't need to enter them very often. Note that the passcode not only controls access to the device, but is also used to derive the cryptographic keys used to encrypt the device's memory.
    The print isn't stored anywhere. A representation of the print (that doesn't allow its reconstruction) is stored in a secure area on the phone only.
     
  7. baypharm macrumors 65816

    baypharm

    Joined:
    Nov 15, 2007
    #7
    Unfortunately Touch ID is not secure. A judge ruled today that fingerprints are not protected by the Constiution/Bill of Rights. This is not good news. This means that law enforcement can force you to unlock your phone with your finger for any reason. And you better know that you can be searched just on probable cause alone.
     
  8. radioking macrumors regular

    Joined:
    Nov 5, 2012
    #8
    They need a warrant according to the Supreme Court.

    http://www.cnn.com/2014/06/25/justice/supreme-court-cell-phones/

    If you turn your phone off before they get it, they have no way of unlocking it without a passcode. I guess you could mess up 3 times on purpose too.
     
  9. ucfgrad93 macrumors P6

    ucfgrad93

    Joined:
    Aug 17, 2007
    Location:
    Colorado
    #9
    I would think that Touch ID would be safer and quicker.
     
  10. Rockies macrumors 6502

    Joined:
    Oct 4, 2011
    #10
    You could always power down the device. Once it is restarted it requires your 4 digit password, even if you have Touch ID set up.
     
  11. baypharm macrumors 65816

    baypharm

    Joined:
    Nov 15, 2007
    #11
    Thanks for the update. I wasn't aware of this. Seemingly good news. Lets hope it keeps many innocent people from being convicted.

    ----------

    Great idea. Thanks. Just might make the difference. We have to remember to do this even if you get pulled over for a traffic violation. One never knows when it could escalate into a larger problem.
     
  12. scaredpoet, Nov 1, 2014
    Last edited: Nov 1, 2014

    scaredpoet macrumors 604

    scaredpoet

    Joined:
    Apr 6, 2007
    #12
    This doesn't make TouchID any less secure. It does however, matter in terms of context and who you're hiding information from.

    If you're protecting information from most casual thieves and non-governmental agencies, TouchID is more than adequate, and very effective, not to mention convenient which was the whole idea (most people don't bother with ANY passcode because they find them to be a hassle). Then again, you could argue that a thief who is interested in your data or device COULD force you to give up your passcode or fingerprint at knifepoint/gunpoint. Then it's not very secure at all, but then you have little choice.

    If you really don't want law enforcement getting at the contents of your phone or iPad, and have some foresight (e.g., you see them coming), you can turn off your devices. On power up, TouchID requires a passcode to start working again. You could also give five bad TouchID reads, locking it out. Or, stall through various legal maneuvers for 48 hours, which also locks out TouchID.

    Let's also not forget: TouchID is useless against anything stored in the cloud. Law enforcement can get warrants for all of that stuff, and it doesn't matter how you've locked down your phone.

    Lastly, no, TouchID fingerprint data is not stored in iCloud. It's stored locally not he device only.
     
  13. baypharm macrumors 65816

    baypharm

    Joined:
    Nov 15, 2007
    #13
    Scaredpoet: awesome explanation. Thanks for taking the time to explain in detail.
     
  14. Julien macrumors G3

    Julien

    Joined:
    Jun 30, 2007
    Location:
    Atlanta
    #14
    The case on which the ruling was determined.

    "...The ruling stemmed from a case involving David Baust, who was accused of strangling his girlfriend. Prosecutors believed Baust may have stored video of the attack on his phone..."
     
  15. XYpal thread starter macrumors newbie

    Joined:
    Oct 21, 2014
    #15
    Thanks for all informative answers. About two years ago, I have received on my credit card statement that I had just bought $3000 gym equipment somewhere in Washington state (I'm in Southern California). Luckily for me AmEx took the "hacker's bill", I did not have to pay. I buy stuff online, only through secured and known websites like Amazon or Apple. So I am kind of weary of new "hot" payment methods with potentially undiscovered yet exploits. NFC chip with Apple Pay sounds promising but who knows... And this new MCX payments system for Walmart "and friends" is like a joke. You have to be out of your mind to sign for this. It is thieves dream came true, linking purchase directly to your banking account, wow... that is secured. No layer of protection from credit card like it was in my case. Mr Snowden's revelations showed to all of us what "digital life" can be worth it, now.
     
  16. Julien macrumors G3

    Julien

    Joined:
    Jun 30, 2007
    Location:
    Atlanta
    #16
    Apple Pay is quite possible to most hack proof system ever devised. Read here for an understanding. You can even skip down to "How Apple Pay Works, Step-by-Step" to get a full understanding.
     
  17. Beta Particle macrumors 6502a

    Joined:
    Jun 25, 2012
    #17
    The issue with using your fingerprints to unlock a device is that you can't change your fingerprints if someone manages to create a working copy, while you can change a password at any time.

    If you are using a 4-digit passcode to unlock your device, that's not very secure at all.
    While there are measures in place to prevent you typing in four digits again and again until you get it, there are a limited number of possibilities with a 4-digit pin, and it's very common that people use something like a significant date or year as their code.

    If you are concerned about security, you should definitely be using a secure password rather than a 4-digit passcode.
    But typing in a secure password every time you unlock your phone is very tedious.


    For most people, TouchID is going to be more secure and more convenient to use, while providing adequate security measures.

    If you're in a position where your data is so important that you cannot risk it being compromised, then TouchID may not be the best solution, since it would not be difficult forcibly unlock the device if you are present.
    But I would argue that if you have something that important, you probably shouldn't have it on an iPhone to begin with, and a password is not going to help you much either:

    [​IMG]

    I think most people should be considering whether TouchID is secure enough - and for most people it is.
    It really comes down to who you are trying to protect your data from.

    It would not be difficult for someone else to unlock your device without your knowledge while you are asleep for example.
    A password would be much more secure in that instance.
     
  18. scaredpoet macrumors 604

    scaredpoet

    Joined:
    Apr 6, 2007
    #18
    Well, we have a pretty good idea, actually.

    At this point, the worst-case scenario for Apple Pay is that someone physically steals your phone, AND has the following:

    1. A good copy of your fingerprint (and it has to be the right finger(s)).

    2. A few thousand dollars worth of equipment.

    3. Several hours, during which you have to either not be aware your phone is missing, or unable to wipe the phone or cancel your credit cards/alert the bank of your loss.

    OR, the much easier route would be to just steal the credit cards themselves, or hack into a merchant to steal credit card numbers from their databases.

    In this regard, Apple Pay is definitely more secure than more traditional methods of payment. Efforts to hack ApplePay, even if successful, would be pretty much an academic exercise. Since the payment info isn't stored in the cloud, and neither is your fingerprint, any successful hack would require physical theft of the device as a starter. And for most credit card/identify thieves, there are far easier ways to get what they want.

    Exactly. MCX is pretty much a textbook case of how NOT to implement a payment system. It's clunky, it relies on the cloud, and worst of all, there is DIRECT access to your bank account, without any credit card buffer to shield you against fraud.

    At least when someone steals your credit card info, it's a pain and an inconvenience, but you get a new card and the fraudulent purchases are almost always covered by the bank. But if MCX ever gets hacked, you WILL lose access to your cash (not just a credit line), there is no guarantee you'll ever get it back.

    This is coming from someone who uses the cloud regularly for lots of things. But I always have some sort of backup plan or contingency to protect against hacking or data loss. With MCX there is no backup. If someone gains access to my bank account, the money is gone, and that's that.
     
  19. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #19
    Let's not be overly dramatic here. Even if a hacker somehow gains access to your bank account number via MCX, it doesn't mean "the money is gone". Not everyone can simply run ACH withdrawals (this requires some verification steps first), and the account owners can dispute unauthorized ACH transactions and get their money back just as they can credit card charges. Remember that people have given out their bank account numbers for decades every time they wrote a check. Obviously humanity has survived. :p

    And of course hacking an MCX account does not give the hacker full access to your bank account. This would require hacking your bank's web site (which, unfortunately, many banks make far too easy by not offering full 2-factor authentication etc.).
     
  20. XYpal thread starter macrumors newbie

    Joined:
    Oct 21, 2014
    #20
    Thanks Beta and Scaredpoet for extra info. The weak link of electronic payment system is the third party access, in this case like Verizon, AT&T but it is more academic than real threat at this time (unless it is some kind of inside job). The recent news about "sticky cookies" from Verizon and AT&T can tell you, how much they are commited to protect customer privacy. Check this link
    http://lessonslearned.org/sniff
    What it means that decisions about your privacy/security choices doesn't belong only to Apple or you but others, too. Apple Pay system seemed to be the best available choice what we can get for now.
     
  21. scaredpoet macrumors 604

    scaredpoet

    Joined:
    Apr 6, 2007
    #21
    Not being overly dramatic then, since you know, any dissent clearly amounts to melodrama: Are you endorsing MCX? Will you be using it, yourself?
     
  22. Kissaragi macrumors 68020

    Joined:
    Nov 16, 2006
    #22
    In the real world touch ID is far more secure and far easier.

    When are most people likely to be arrested and have a court order to open their iPad? Exactly.
     
  23. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #23
    Probably not, since I don't like my purchase history being data-mined for marketing purposes. For the same reason I generally don't participate in customer loyalty programs. But what does my personal preference have to do with your concerns about bank account numbers?
     
  24. scaredpoet macrumors 604

    scaredpoet

    Joined:
    Apr 6, 2007
    #24
    Fair enough. For me that's another eason not to participate in MCX, either.

    Why does it have to? I was merely asking a question.
     
  25. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #25
    The success or failure of MCX should be based on the facts, not FUD. There will not be a mass clean-out of the bank accounts of MCX users. Security will not be a major issue with it. While MCX may not be as secure as Apple Pay, is it no less secure than using a debit card, which is good enough for most people. The determining factors will be industry support, cost, convenience, and customer incentives.

    But all this is really off-topic in this thread ...
     

Share This Page