Touch ID: Unsecure? (Due to passcode)

Discussion in 'iOS 7' started by se99jmk, Sep 16, 2013.

  1. se99jmk macrumors member

    Joined:
    Jun 11, 2012
    #1
    I'm sure I must be missing something here, and perhaps someone can point me in the right direction, but doesn't the passcode make Touch ID insecure?

    ----------------

    Apple have stated that when setting up your fingerprint, you also need to setup a passcode. The passcode is requested when the device has not been used for 48 hours, or if the device has been restarted, and in theory is designed to time-limit hackers finding a way to circumvent the fingerprint scanner.

    I'm confused though.. most users would set a 4-digit passcode because it's easy to remember - Also I don't know about you, but I'm likely to reset my phone or not use it for three days only once every 4-6 months, and therefore more reason to set an easy to remember passcode.

    So if someone steals my phone, rather than crack my fingerprint (long, unique, randomly generated value), they instead just need to turn the phone off and on again, and get presented with a 4-digit code to crack??

    -------------------------

    Of course at this point Touch ID isn't in the wild so this is just speculation at this point, but perhaps the passcode unlock only gives limited access to information? Or stores contents differently?

    If though, a hacker just needs to crack a 4-digit code rather than my fingerprint, then Touch ID is a convenience, not a security measure.

    So, can anyone please help correct me on this? I'm sure this function must be more secure than I've described, but I'm not sure how!

    Thanks

    ----------

    p.s. for those who are interested in the architecture of Touch ID, this article has more on the encryption and chipsets used to make the magic happen:

    http://www.quora.com/Apple-Secure-Enclave/What-is-Apple’s-new-Secure-Enclave-and-why-is-it-important
     
  2. matttye macrumors 601

    Joined:
    Mar 25, 2009
    Location:
    Lincoln, England
    #2
    It's probably there as a backup in case the touchid sensor stops functioning as well.

    It makes sense to have a password backup. You could even store the passcode on your phone, as no one will be able to read it without using your fingerprint or knowing the passcode anyway.

    Touchid still adds a level of security because there will only be rare occasions where you'll have to enter a passcode, so less chance of someone seeing you enter it.
     
  3. BvizioN macrumors 68040

    BvizioN

    Joined:
    Mar 16, 2012
    Location:
    Manchester, UK
    #3
    Just a question: How would they get your 4-digit passcode?
     
  4. gr8tfly macrumors 603

    gr8tfly

    Joined:
    Oct 29, 2006
    Location:
    ~119W 34N
    #4
    A passcode is mandatory before enabling TouchID. It is a backup, in case of failure, in addition: if the phone is rebooted, or remains asleep for more than 48 hours, it will require the passcode before allowing TouchID access.
     
  5. Gav2k macrumors G3

    Gav2k

    Joined:
    Jul 24, 2009
    #5
    Why would you set a simple code?

    If you had any sence youd set a nice long 30+ character code because you would need to use it unless the sensor failed. If that happened you enter the above go into settings, disable passcode and visit apple. Simple
     
  6. se99jmk thread starter macrumors member

    Joined:
    Jun 11, 2012
    #6
    Hmm, I get the reasoning behind the Touch ID not working (also I could have just burnt my fingers), however it seems trivial to push the device into requiring the passcode (just switch it off and on)

    Aside from the fact that 1-in-7 use a simple passcode combination:
    http://ios.wonderhowto.com/how-to/t...ones-and-protect-yourself-against-it-0139559/

    Brute-forcing a 4-digit code would not take long at all.. By setting an alphanumeric passcode there's more chance of stopping a hacker, but if the user is going to make it easy to remember, it's still less secure than a randomly generated secure code based on your fingerprint..

    ----------

    Ah, now if that's true.. If it requires your passcode and then subsequently asks for Touch ID, then it limits hackers finding a way around the Touch ID, but that passcode needs to serve as a backup of the Touch ID sensor in case it fails, not an as well as..
     
  7. Gav2k macrumors G3

    Gav2k

    Joined:
    Jul 24, 2009
    #7
    Unless it's a burn that's completely distroyed your finger chances are it'll still scan as it's a subdermal scanner. Add to that the ability to scan multiple fingers and it's all good!!
     
  8. se99jmk thread starter macrumors member

    Joined:
    Jun 11, 2012
    #8
    I'm more thinking general users, not those who are more security conscious. We know from Apple's presentation that a very large portion of users currently do not bother with a passcode at all, so I believe it's very likely that most users would set a 4-digit code as their backup (mainly because it's easy to remember).

    ---------------------

    http://news.cnet.com/8301-1023_3-57405580-93/iphone-passcode-cracking-is-easier-than-you-think/

    I'm sure that iOS and the hardware will improve to stop brute-force attacks, but surely it boils down to that - the longer the code, the more secure the content. And my randomly-generated-long-passocode-fingerprint is going to be more secure than anything I can remember as a passcode
     
  9. Carlanga macrumors 604

    Carlanga

    Joined:
    Nov 5, 2009
    #9
    The TS talked about these points so I don't know why the need to repeat.

    --------

    TS touch-id is for convenience. It is not being touted as a security feature but more so a new faster way to unlock your phone, buying apps, etc w/out having to use a passcode. Like they said in the conference about half the people don't set up a passcode and now w ios7 activation method plus a passcode it makes it really hard to impossible for someone to use a stolen iPhone or get access to your stuff compared to an iPhone that no passcode was set and since you don't really need to actually put the passcode unless you don't use your phone for a good amount of time it makes having a secure iPhone simple to the public
     
  10. Gav2k macrumors G3

    Gav2k

    Joined:
    Jul 24, 2009
    #10
    People use simple passwords for speed. The touch Id negates this so the backup password can be long.
     
  11. matttye macrumors 601

    Joined:
    Mar 25, 2009
    Location:
    Lincoln, England
    #11
    For an easy to remember, hard to guess password, pick four random words and string them together.

    Cowmonkeygoathorse
     
  12. se99jmk thread starter macrumors member

    Joined:
    Jun 11, 2012
    #12
    Thanks everyone!

    Personally I'm too concerned, as you point out you can set an alphanumeric passcode as a backup - I just know that for most of our users their method of remembering a password is to put it on a Post-It and stick it to their monitor!

    Perhaps then as Carlanga it is more of a convenience item? I'd like to believe though that the solution is being touted as a security measure, otherwise why have a dedicated area of the A7 to store it, or develop new hardware/software to make it particularly difficult to hack?

    Of course, it may be as easy as Apple not allowing a 4-digit code, and enforcing a complex password when setting the Passcode which would definitely help!
     
  13. gr8tfly, Sep 17, 2013
    Last edited: Sep 17, 2013

    gr8tfly macrumors 603

    gr8tfly

    Joined:
    Oct 29, 2006
    Location:
    ~119W 34N
    #13
    So your passcode determines the minimum level of security. The idea here is you create an adequate passcode that you don't need to use often (you can be creative on what memory aids you use). Then, rely on your highly secure fingerprint for everyday use - without the hassle of entering that complex, long, secure passcode. That is what could make TouchID the "killer app" for the 5s.

    It is true many people will continue to use a four digit code, but it is still a matter of education (as it has been). To be honest, I don't use a passcode on mine, as I'm mostly home, so I don't know if Apple has a generator tool on the iPhone that is similar to OS X. If you put in a four digit code, even alphanumeric, it will inform you that it's not very secure.

    ----------

    Apple quote from WSJ article:
     
  14. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #14
    One thing to keep in mind is that after 5 incorrect attempts to guess a passcode the phone gets locked out for a period of time, and after each additional attempt that lockout time grows longer and longer, I think up to hours if not a day. So unless you are quite lucky with a handful of guesses it can take a very long time to go through even a dozen or so combinations, let alone perhaps hundreds if not thousands needed to actually get one right.

    There's also the option to wipe the phone on 10 wrong attempts. And there's Find My iPhone app that most should hopefully have enabled and perhaps use to change their passcode if needed while the phone is missing or wipe it.
     
  15. se99jmk thread starter macrumors member

    Joined:
    Jun 11, 2012
    #15
    Yup - if Apple enforces the user to use an alphanumeric passcode instead of simple 4-digit, then for 'standard' thefts, the existing protocols will stop most thieves. Also of course with iOS 7 you can't restore a phone without the Apple ID if FindMyiPhone has been setup, so less reason to steal it in the first place!

    -------------

    Apple could still beef-up this area, but not without making it less user friendly.. For example if you have two-factor authentication (2FA) enabled, then instead of a passcode after 48-hours or if restarted, I have to get a one-time-password from another device.

    This would make the solution FAR more secure, and of course only be enabled for those who had enabled 2FA.
     
  16. Sister Owl macrumors member

    Joined:
    Mar 23, 2013
    #16
    What are you people talking about? Thief can just jailbreak a phone and pretty easily pass both pass-code and that fancy Touch ID thing.
     
  17. Tyler23 macrumors 603

    Tyler23

    Joined:
    Dec 2, 2010
    Location:
    Atlanta, GA
    #17
    You cannot even jailbreak iOS 6.1.4, there is no jailbreak for iOS 7 either..
     
  18. Sister Owl macrumors member

    Joined:
    Mar 23, 2013
    #18
    Touch ID: Unsecure? (Due to passcode)

    There will be a jailbreak for iOS 7, have no doubts. And there IS a jailbreak for iOS 6.1.4
     
  19. se99jmk thread starter macrumors member

    Joined:
    Jun 11, 2012
    #19
    Well, the passcode, possibly (and the point of my post in the first place), but not the fingerprint scan as how it stores the key is different in terms of hardware AND software from how passcodes have historically been stored.
     
  20. Tyler23 macrumors 603

    Tyler23

    Joined:
    Dec 2, 2010
    Location:
    Atlanta, GA
    #20
    There is no jailbreak for 6.1.4. Not that's been released.

    And yes, there will be for iOS 7, most likely, but not for a while. Either way, if you passcode lock your phone you'll be fine, especially with the Touch ID.
     
  21. Curun macrumors 6502

    Curun

    Joined:
    Sep 10, 2013
    #21
    Touch ID is less secure than Passcode alone. It's opens a new angle, a new crack to wedge a crowbar in for prying so to speak. Apple doesn't hide this.

    If you use a passcode, and you are already more secure.

    Where security is gained, is Apple hopes to woo all those who consider passcode too inconvenient to use, to finally use at least Touch ID. As it's better than nothing.
     
  22. Sister Owl macrumors member

    Joined:
    Mar 23, 2013
    #22
    What about this then? http://www.bonnersprings.com/groups/easyiphone/2013/sep/16/unlockjailbreak-iphone-5-4s-ios-614613io/

    I have iPhone 5 already, and I am not a tech geek, I'm just an average consumer, I don't have plans to upgrade this or next year. So, no Touch ID for me for a while. But if only iPhone were sold in Ukraine by Apple or their resellers, I would definitely not buy an iPhone 5 and wait for 5S. For me, Touch ID is an extremely interesting feature. But still, I don't understand why can't it be hacked through jailbreak or reinstalling OS. It cannot be THAT secure!
     
  23. Tyler23 macrumors 603

    Tyler23

    Joined:
    Dec 2, 2010
    Location:
    Atlanta, GA
    #23
  24. Sister Owl macrumors member

    Joined:
    Mar 23, 2013
    #24
    Touch ID: Unsecure? (Due to passcode)

    Can you be more specific here?

    ----------

    You mean it's not true or what? (And why do you say "spam"? Maybe it's my poor English but I don't understand. I just gave one of the first links in Google results for "iOs 6.1.4 jailbreak", I didn't mean to advertise any resources)
     
  25. Tyler23 macrumors 603

    Tyler23

    Joined:
    Dec 2, 2010
    Location:
    Atlanta, GA
    #25
    Sorry, yes I meant it's not true. They are working on a jailbreak for 6.1.4., but as of yet one has not been released.
     

Share This Page