

Apple Opens Up Touch ID To All Apps - panabee
http://techcrunch.com/2014/06/02/apple-touch-id/

======
koblas
This is going to be a big game changer for 2 factor authentication. No longer
will you have to deal with a series of numbers, but should be able to just
auth with your phone.

~~~
cr3ative
To ask a silly question - how? 2FA apps like Authy don't communicate with the
service they provide for. An app per 2FA application would be extremely
clunky.

------
Holbein
I'm still creeped out by Touch ID (not this opening up, just Touch ID in
general): The recent Snowden files revealed that the NSA actively searches for
and indexes pictures of faces and fingerprints.

I doubt this is 100% secure (since all the code, including the TouchID code
can be updated in iOS updates, you can add a leak function to a future iOS
update).

When that happens, an attacker can nicely cross-reference your fingerprint
with all the other data.

Anybody else feel that way?

~~~
aeontech
Just like you don't store a plaintext password, neither does TouchID store
your fingerprint as anything recognizable - it's stored as a hashed and salted
representation of your fingerprint. I'd venture to guess that it's device
specific too, I doubt that your fingerprint hash stored on one phone is
identical to the same fingerprint hash stored on a different phone.

Check out the whitepaper here:
[http://images.apple.com/iphone/business/docs/iOS_Security_Fe...](http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf)
if you're curious about details.

~~~
Holbein
I think there is reason to doubt that TouchID stores your fingerprint as a
hash. Let me elaborate:

Even after the initial priming phase, TouchID continues to learn and adapt to
your fingerprints. So during priming, you could always place your finger flat
on the sensor, and then after that, during usage, you can continuously use
different parts of your finger, and if at least a part of your finger overlaps
with a previous image of your finger, TouchID unlocks the device and -
crucially - it continues to learn those new angles of your finger.

This indicates that TouchID internally aggregates an image of your fingerprint
during actual usage. Now to merge those images together, you have to compare
previous images with the new image, to find a common section. And you can't do
that if you have only got a hash of the previous image.

I think therefore just by looking at its operation from outside, we can infer
TouchID stores a fingerprint in a way that it can reproduce the fingerprint
itself.

~~~
CHY872
Apple claim that the fingerprint is not stored in a way for which the
fingerprint itself could be reconstructed - which makes sense.

[https://ssl.apple.com/iphone/business/docs/iOS_Security_Feb1...](https://ssl.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf)

~~~
Holbein
So how do they internally aggregate an image of your fingerprint during actual
usage, then?

Also, hash plus salt together is info that identifies a fingerprint. Why
shouldn't it be possible to leak that info? Once you have it, you can apply it
to your existing database of fingerprints to get matches - no actual
fingerprint image needed...

------
33W
I'll be interested to see how this is used. I've never liked biometrics as a
password, as once it is compromised, it cannot be changed. They are much more
useful as a username, in my opinion. Does anyone here have any specific uses
in mind?

------
omgitstom
I'm not super excited about Touch ID, would have been more excited about
opening Siri or Apple TV for devs

