Why Fingerprint Authentication on iPhone is Bad

Apple launched the latest iPhone 5s with a fingerprint authentication known as TouchId.

Soon we had a group of hackers release a video that shows how *easy* it is to break the authentication.

And then we have Apple Fanboys defending their favorite company. The best one is M. G. Siegler:

Well, Apple is a company that would sell out phones with features no one would really need, and still people would wait to buy as if they are waiting for free lunch. No offense intended, they have created a brand value and are now milking it.

In 2009 when I applied for my first startup, it was named as “Pratyaksh” aka “Live Login”. It was a system to authenticate users in an organization via fingerprints instead of LDAP/Active Directory. The reason? Anyone could steal a password. Fingerprints can’t be stolen, or so we thought.

We were using a Fingerprint reader by Authentec, the same company that makes the sensor on the new iPhone. A bit of surfing  told me that the fingerprints are most insecure. Then I did an experiment:

1. I picked up a glass of water that I had used recently.

2. I sprayed some printer toner over it.

3. I then picked up an printer paper and gently wrapped it around the glass and then applied some pressure.

4. The paper now had my fingerprint on it, in black.

5. I could use the same paper on fingerprint scanner, it gave me  >70% match.

 

The result was shocking. Unlike passwords which are in our mind, we leave our fingerprints everywhere – on the glasses, door knobs, public transport systems, phone screens (seems ironical because you find a person’s fingerprint on the same phone that’s protected by a fingerprint)

We dropped the project.

 

And yet, today I see the same scanner on an iPhone. I haven’t seen a phone in real but if given a chance I would surely like to try this out. For now I will say that biometric authentication on phones is yet 3-4 years away.

 

Leave a Reply

Your email address will not be published. Required fields are marked *