Hacker News new | comments | show | ask | jobs | submit login

All these academic arguments about the security of fingerprints are interesting but completely are detached from the day-to-day use of TouchID.

I've been using it for about a week or so now. It's incredibly convenient. It unlocks my phone almost instantly. It prevents random people near by phone from being unable to unlock it. If a thief got their hands on it, they'd have a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.

All in all TouchID basically removes almost the entire burden from the security of having a locked phone. It's actually faster to unlock my phone with TouchID than codeless swipe to unlock, so it's a no-brainer to turn it on. It doesn't matter that the NSA probably has my fingerprints, in practice it prevents most people from getting into my phone in a way that is transparent and easy to use. If the spooks want my data, they can already get it.

I think your response raises an issue of perspective. Are we focusing on fingerprint technology from a user's point of view - or are we considering its implications over many years?

This reminds me of certain U.S. Supreme Court decisions. As someone who's interested in constitutional law, I often find myself defending things that seem trivial and nitpicky. Why does it matter if the police enter one drug dealer's home without a proper warrant? Who cares if we restrict someone's speech, considering that the person was, say, a racist whose ideas were ignorant and offensive?

Of course, the content in this analogy is very different. I'm not comparing fingerprint scanners to crimes. But the logic is very similar: when judging law and technology, respectively, it's important to consider how seemingly small decisions serve as a precedents for bigger trends.

If fingerprint scanners become a common replacement for passwords, and the author's argument is correct, the scanners may dramatically change our security and expectations of privacy.

Consider the thorny issues of courts forcing people to turn over passwords to decrypt phones to implicate themselves. Typically, it's a constitution tarpit as you should not be forced to implicate yourself.

However, your fingerprint is a username in that case because it is all over the place. The police already have it. Don't be fooled, there are certainly kits being sold to law enforcement to dupe TouchID. You're data is less protected from those that you'd probably prefer not have easy access to it now.

This is a disadvantage only when you are on trial. That's a pretty extreme contingency, and I think most people who aren't internet privacy advocates wouldn't be particularly worried about their phones, of all things, after they've been arrested and indicted.

Outside the HN bubble, this is an acceptable tradeoff. People who are concerned can continue to use passwords.

Outside technological bubbles, people don't understand the implications of technology in regards to security and privacy. You're speaking about "tradeoffs" however people don't understand the tradeoff and will think fingerprinting is secure, because look, Apple is doing it.

Therefore it is up to us to make the right choices. That we aren't doing it, choosing instead to defend flawed technological improvements and the companies doing it, is very regrettable.

> This is a disadvantage only when you are on trial. That's a pretty extreme contingency

No dude, that's not the only thing that can happen and it's in no way extreme. Many people do go on trial for trivial things (because shit, in the US at least, suing people is a way of life) and your laptop or phone contains your most secret conversations and desires, being the ultimate incrimination tool, a digital fingerprint of your own mind.

And you don't have to be on any trial. You don't even have to be a suspect in an investigation. It can happen and has happened for laptops or phones to be seized for inspection during routine filters, like by the airport security.

Also, in the US you may live under the rule of the law. What about countries where oligarchies rule, countries where corruption is the norm? What about countries like Rusia, China, India or Brazil?

Just today I read about a story about this traffic cop from my own country that had the bad inspiration of doing his job by fining his own boss for ignoring a red light and exceeding the speed limits. He was later accused of all sort of bullshit and had to fight it in a court of law for 2 years before he was exonerated.

And technology evolves and our devices are gradually becoming our stored memory. What do you think these corrupt officials or organized crime syndicates could do with your own mind, 10 years from now? A lot dude ;-)

It's easy to say that now while you're not on trial. What happens if the day comes where you are on trial, for something you may or may not be guilty of and what you have on your phone could potentially incriminate you, corroborating false accusations? We see it all the time, information is translated out of context and used in ways it was never supposed to be interpreted. It happens all over the media, it happens in smear campaigns in politics, it happens any time someone wants to get ahead of you on the promotional ladder. It's too late to come back after the fact and say "Well shit, I guess I should have considered the implications of that technology being used against me when I considered it just as a convenience." Sure, it's convenient. I get that, we all do. But if you don't consider the price of that convenience up front, you can't come back and complain that it was used against you afterwards.

Also, configurable after a few hours it can ask the password anyway. A trial and being compelled to place your finger on the phone goes way beyond that. Or if they're going to beat you over the head with a metal pile regardless to unlock then the difference between a passcode or your fingerprint becomes meaningless.

That's too black and white. Is there nothing that you would give your life for? There is nothing worth dying for? Maybe you should think less of convienience and more about living a life worth living.

Not just on trial; on trial with incriminating information that's exclusively available on your iPhone and stored unencrypted without any additional passcode or password protection.

>Outside the HN bubble, this is an acceptable tradeoff.

I'm glad you have been deemed worthy enough to make that decision for the rest of the population that doesn't understand the implications of what they are getting into.

> a few attempts to unlock it with a fake fingerprint, and then they'd have to enter my code. And if they fail to enter my code 10 times, the phone is wiped.

Are you saying that random people can pick up your phone when you go to the bathroom, touch the home button 3 times, and then enter "1111" 10 times, and wipe your phone? Is there some protection against this?

It starts throttling attempts before going full lockdown. But, yeah, don't leave assholes alone with your phone.

There's some aphorism about "assholes" and children which my brain thinks fits here but that same brain won't recall what it is.

Anyhow, my initial thought was, perhaps not an asshole but a child? I could see a child playing with the phone and wiping it in quite short time. But other commenters pointed out it's not the default and there's cloud back-up it doesn't seem a major problem.

The attempts go up quickly. First try, wait a minute. Then 5, then 10, then 30 mins, then an hour, 3 hours, a day, a week etc.

My friend's 12-month old baby reset the unlock code on her mother's phone and they ended up having to wipe it completely in order to recover.

This is completely unrelated, but why do people say "12 months", "18 months", and "24 months" rather than 1 year, 1.5 years, and 2 years? I don't get it. I'd understand if they're younger than a year old (eg "My son is seven months old!"), but not once the age can be expressed in years.

It's a really neat question, and as a new-ish parent I've given it some thought. In fact, there's even another layer to it: shortly after birth, people tend to count in weeks rather than months.

My guess at an answer is that human beings are more comfortable thinking about numbers that are small integers (between 1 and 20 or so?), and that (roughly speaking) we often want to be able to give a bit more precision than you'd get from just "1" vs. "2".[1]

So for baby growth, parents will talk about how many days old their child is for the first week or so, and then use "weeks" for the first few months, and then use "months" until they're around 2 years old. (There's also a real sense in which the pace of child development seems to progress on a sort of log scale: change is very rapid at first, but gradually slows down. The use of different age units seems to roughly parallel that.)

As an aside, this same human preference is presumably also why the English developed different units for (say) inches, feet, and miles rather than using one of those units for everything. [Side note: is there any common English unit between yards and miles? I grew up using "blocks", which is handy, but that's pretty city-specific.]

[1] By "precision" I'm thinking more or less about "relative uncertainty". If you assume that an integer value is accurate to within +/- 0.5, then the percent uncertainty on 1 or 2 is so large as to make the information almost useless, while the implied uncertainty on a big number like 50 is probably smaller than is justified for most contexts.

Chains & rods are what first sprang to mind, but I don't think they were ever common. The definition of 'furlong' from http://physics.info/system-english/ makes it seem like it could have been in common usage:

  Literally, the length of a furrow. A sensible length for
  farmers that later evolved into the acre, which is discussed
  later in this section. A standard furrow is 220 yards long
  or ⅛ mile
Google's ngram tool makes it seem like it was never a contender with the yard, mile, or league.

Furlongs still are in common usage in certain applications. Horse racing, particularly.

Blocks is a good one, although it's not a formal unit, I generally tend to associate it with about a 1/10 of a mile.

Babies grow fast, so there can be a fairly large difference between twelve months and fourteen months, or fourteen months and eighteen months. You can't express those values well in decimal format, so you can't discuss milestones and development in decimal format. My experience is that people usually switch over to years once the child is older than two.

Because there's a lot of difference in development even from month to month, so the extra resolution is needed.

I've read the other replies and my answer is pretty different. I think this has to do with a fact that up until 24 months many toddler-targeted things are spoken of in such fashion:

- Clothes are sized in months 0-3, 3-6 etc.. - During doctor visits you discuss developmental milestones expressed in months.

Etc. You get used to it, since at that age the development of a child is extremely condensed and years simply don't provide enough resolution.

Because numbers like the following are less clear:

- 1.0833 years old: 13 months

- 1.4166 years old: 17 months

- 1.8333 years old: 22 months

So, is it easier to use years on the clean decimals and months whenever it gets hairy, or to just settle on months?

Protection against what ? That is the desired behaviour of most people. And if it isn't then you can simple disable the behaviour.

It's not like you will lose data since it is backed up to iCloud.

I think you misunderstood. The person entering bogus passwords is not a thief, but an otherwise trusted prankster. For example, a brother.

This has always been available as a setting on iOS and it is not the default. Most companies though will install a profile which enables this to a custom value of retry attempts if you add the company email (typically exchange ) account to your phone

> Protection against what ?

Um, protection against random people wiping your phone maybe?

How do you expect the phone to distinguish between "password entered 10 times incorrectly by asshole" and "password entered 10 times incorrectly by thief"?

If this is a problem with your circle of friends: find new friends, or disable this feature.

Even without TouchID, iirc on previous iPhone models entering an invalid password 10 times would trigger a wipe. So not a new threat -- just balancing maintaining the confidentiality of your data with the DOS risk.

Well, you do have to explicitly turn that option on. It's in no means a default.

If you use the iPhone Configuration Utility, you can even reduce the attempts down 2 before it wipes itself.

I guess it's useful in circumstances where the data on the phone is more valuable than the phone itself.

That is no different than the current situation - enter the PIN code in wrong enough times and phone locks down. There's just an additional (print reader) barrier in the way

Yes, backup your data.

Please don't delude yourself into thinking this is any safer against the typical kind of smartphone theft.

Thieves will offload the phone to someone using software explicitly designed to wipe electronics to be resold.

Whether they are wiping an iphone that happens to have touch ID or not is only relevent towards the resale price once it's wiped.

Clearly Apple marketing works, as it's somehow convinced a member of (I'd hope) a more technical audience that their electronics are somehow safer against thieves.

I'm not protecting my phone, I'm protecting my data. It does a pretty good job of that. Don't think we're somehow deluded for thinking that the data is the more valuable part of the thing.

The most important distinction. Someone who wants your hardware doesn't care about the data, and will wipe the phone (although this is where iOS 7's Activation Lock comes in). And, if they want your data, they will figure that out, too. Touch ID is just a deterrent, same as a password or PIN, just to varying degrees.

Uh, no. Of course it's doesn't prevent theft. (Though the new 'wipe the phone in 10 tries' thing may deter it, separate from TouchID, I'm not sure.)

The point is that with TouchID (as opposed to no passcode) the thief will not be able to send porn to my mom or read my text messages before they wipe the phone.

And with iOS7 they're going to have a harder time wiping it because phones are now locked to your Apple account. So they need your Apple account ID and password to wipe it.

I wonder how much targeted attacks to recover that go for on the black market? Would the phone thief still make a profit?

An iPhone that is wiped, even in DFU mode, requires the Apple ID and password immediately after it is booted for the first time.

Basically, a stolen iPhone is only worth the sum of its parts so they can be used to repair other phones.

How does this work? I sold my old iphone to amazon. I never reported it "unstolen" or whatever to apple. Amazon paid me $200 for iPhone parts?

It's new in iOS 7. You'll have to explicitly wipe & reset your iPhone before selling it from now on.

So if it works as advertised, stolen iPhones and iPads will only be worth the sum of their parts.

Hmm. After upgrading my ipad to iOS 7, I changed my pass code. Which I promptly forgot. I had to reset it from iTunes, on a computer which had never paired with the ipad (in fact I had to download iTunes to do this). When the ipad restarted it asked me for my Apple ID but that seemed to be for the iCloud restore. I think I could have skipped it and had a functioning ipad. But apparently not?

Nope. The Apple ID is necessary to restore in iOS 7.

removing that wipe feature would be a nice tidy way to destroy the secondary market for iphones...

did I just predict iOS8?


Apple are perfectly happy with the second hand market for iPhones.

I've just ordered a 5S. It's costing me £709. My iPhone 4S 64Gb is worth about £200 second hand. Even a new 8Gb 4S, the cheapest model available new, is £349.

Anyone interested in my second hand phone was almost certainly never going to spring for a new iPhone.

The market for second hand iPhones does next to nothing to cannibalise the market for new iPhones (which Apple cares about) and strengthens the iOS ecosystem (both by bringing in new customers who might buy apps, music and movies but also keeping customers away from competing platforms).

There's more upside than downside for Apple in second hand iPhones.

With iOS 7, when you select "Erase All Content and Settings", it will disable Find My iPhone after prompting you for your Apple ID password.


No one thinks it will deter thieves. It will make it more difficult for thieves to offload the phone (however marginally), and will give you time to use Find My iPhone, wipe it remotely, or brick it before your data gets compromised. As someone who did not use a passcode who recently had a phone stolen, I can tell that this is valuable. Also, why don't people focus on the real convenience - purchases by fingerprint scan.

I think any reference to improved protection against theft has to do with iOS 7's new feature of requiring an Apple ID even after a wipe.

s/TouchID/Face Unlock/g and back up about 2 years and you can find all the same things said about Ice Cream Sandwich.

It's a cute feature. It's not going to change the world, sell another billion phones, push other companies out of the market, or save anyone from serious attacks. It's probably a good idea to enable it anyway.

Except TouchID, from what I gather, actually works. Not "works" in the sense of keeping bad people out, but "works" in the sense that when I use it my phone unlocks. I tried face unlock briefly on the Google Nexus I've got and disabled it shortly after when I found that it was unreliable. Poor lighting, too much lighting, a bad hair day, it wasn't even at 80% for successful unlocks.

> Not "works" in the sense of keeping bad people out, but "works" in the sense that when I use it my phone unlocks.

I think that's the key distinction here. In any given authentication scheme it's important not to have false positives (incorrectly identifying a bad guy as you) or false negatives (incorrectly identifying you as a bad guy). In this case false positives break security, false negatives break usability. However, false positives won't outright stop adoption whereas false negatives will.

To be honest, I disabled face unlock the moment my brother unlocked it with his face... Yeah, touch id won't let that happen.

Fake unlock was slow and unreliable when it first came out 2 years ago but is pretty darn good nowadays, and just as fast as TouchID. No, it doesn't work in pitch dark or if you're wearing sunglasses. But I'll take "works 90% of the time" over an unlock feature that requires a hardware component that pretty much locks you into 1 form factor.

The problem is that you need to think about this when you unlock your phone. With TouchID you always unlock your phone with your finger.

"With TouchID you always unlock your phone with your finger"

With glove, dirty or too much sweat, I believe it does not work. So, it's not 'always'.

Not to mention, by the time I am looking at the phone, I want it already unlocked. Sometimes I want it unlocked in my pocket (Siri?). TouchID allows me to do that. Face unlock does not.

When it works fast, face unlock can be rather stunning. Occasionally it would catch a glimpse of my face obliquely and unlock before I even got to position it correctly.

However like others, I turned it off because the performance was highly variable, and the failure mode consists of a many-seconds wait which can be extremely infuriating (even embarrassing, as as you stare blankly at your phone for 5 seconds at a party, trying to quickly get someone's number or something).

does touchid have the disadvantage of keeping your friends and family unable to use your phone in cases of emergency? 95% of the time, my phone isnt next to adversaries, but trusted parties. a password or code is transferrable, fingerprint isnt.

edit; not 911emergency, but casual situations of full or dirty hands..

You can always just use a PIN to unlock. It's probably safe to assume that Apple has thought this through (no need to remind me of the supposed chaos break-in).

You can add ten fingers, or you can give them your code, or they can dial 911 with a fully locked phone. So no, it's slightly easier for a relative to use in an emergency than a typical locked phone.

Mine when locked has a small touch section labeled 'emergency call'. I assume it goes through to 911 (or relevant number). I'm tempted to press it but it's not an emergency. I assumed most phones had something similar.

Edit: I went to it. I leads to a special dialer. Instead of voicemail the button leads to a special emergency contact (or list). It only shows 4 inputs on top so I am guessing that is the limit so you can't dial anything but emergency services (that are 4 numbers or shorter). Then it goes back to my lock screen.

It is more difficult to defeat a touch sensor than face unlock. With face unlock, I just need a photo of the phone's owner.

With a fingerprint unlock, I need to go to at least a little trouble to fake the fingerprint.

Depends on scenario. If you steal a phone from a bag on the subway, you'll never be able to get that photo but can probably lift the print right off the phone itself. So maybe iOS has better-yet-still-mediocre protection against snooping yet inferiorly-mediocre guards against identity theft. Yawn.

In neither case is the phone meaningfully protected against serious attack. Why must we have this argument? It's a cute feature. Use it.

> but can probably lift the print right off the phone itself

What utter unmitigated rubbish. It is extremely unlikely that even a fully qualified CSI would be able to lift a full print from a mobile phone, let alone one that that can be reliably reproduced in the manner CCC described.

On release, people were saying it was unhackable. Molds were made that faked it within a week. You really want to bet that no one will make this work? With a target this high profile?

My 5 year old son was quite literally dusting for fingerprints at the local science museum last weekend. We have some shockingly high fidelity prints of both our thumbs showing all the ridges. And all we had to do was squeeze a piece of plastic. Fingerprints have even less identifying detail than faces. You've been hoodwinked by Apple's marketing, and I'm willing to bet this isn't the first time.

Yup - remember the whole "sub dermal RF fields - so it can't be a fake finger, or your finger can't be cut off - has to have a pulse and be live", from Apple's own marketing?

Yeah, not so much. The fakes didn't even pretend to be live tissue.

It's amazing rant with any Apple story, there you are with an 'expert' opinion followed by a thinly veiled troll. I want to see your 5 year old son lift near perfect prints from a typical iPhone, no deliberate placing of prints mind you. I then want to see you recreate the CCC "hack" with the correct print. It's time to put up or shut up.

but can probably lift the print right off the phone itself

That doesn't seem to be the case to my knowledge. The evidence from the successful attack is that you need an excellent-quality print from one of the specific fingers that has been programmed into the phone. Some phones probably have that on them, but it appears likely that many do not.

Can't someone write an app that stays in the background on their phone and copies fingerprints of people who touch your button?

Under the assumption that the sandbox works, no.

I meant jailbroken, of course.

The "sandbox" being referred to is the "Secure Enclave", which apparently is what ARM calls "TrustZone": http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-... The data isn't accessible to even the OS. So, in theory at least, jailbreaking doesn't make it any more accessible.

Ah, that's interesting, thanks, I didn't know about it.

there ll be an app for that.

edit: build an app, get your colleague, significant other etc touch it on any touchscreen phone or get on camera and create a 3d printed finger. 3d printing vs touchid...maybe

I'm pretty sure the GP was talking about the likelihood of a given phone having an appropriate-quality print [1], which does seem low.

But putting that aside, your hypothetical app would -- using the demonstrated method -- 'lift' that excellent quality print, scan it at 2400 dpi, (clean up said print), print it on a transparency at 1200 dpi, mask it onto photosensitive PCB, develop/etch/clean the PCB, spray graphite and apply wood glue to the mold.

It might make for a slightly-more-plausible-than-normal gadget sequence in a Mission Impossible movie, but it's not much of a concern for the target market. [2]

[1] Despite what decades of shows like CSI might lead us to believe, this is not a simple or error-free process. And each mistake irrecoverably destroys the print.

[2] Most of that market doesn't even use a passcode today and many that do are still using surprisingly bad PINs (birthdays/anniversaries/1234)

I find it amazing that when faced with a general question about a "security" feature the median internet tech nerd responds with an attitude of absolute paranoia (c.f. 4096 bit RSA keys, multi-word pass phrase choices, ssh key forwarding pedantry, general NSA tinfoil hatism....)

Except when confronted with an Apple product. Then it's all "Nah bro, relax. No way could you lift a fingerprint from a glossy phone screen". :)

I'll say it for the third time. It's cute feature (like face unlock was before it). Use it and enjoy it. If you honestly think you're buying a serious security mechanism you're simply wrong.

You see two different classes of responses because there's two different use cases.

There's security that geeks advocate for ourselves and our own implementations (often things we only have to set up and maintain infrequently) and then there's security that normals actually use (often things they have to authenticate with several times a day).

And I must have missed it, if anyone's been arguing this is a serious security mechanism. As far as I've seen, it's been lauded as (not much) better than a passcode, but, primarily, convenient enough to get people to use it instead of nothing, bringing up the relative security of a still-fairly-insecure bunch.

And you may want to re-read the discussion over the faked-print attacks. It isn't about (im)possibility. It's about the time, expertise and equipment involved and the likelihood of success being too expensive to be worthwhile for gaining access to most phones. [1]

And if we're wearing our "serious" security hats, I still don't see any reason to worry too much about print faking, as its core assumption is a skilled attacker who has unfettered physical access to our device, unbeknownst to us and beyond our control. And at that point, the game is already over.

[1] CCC themselves, with ideal source prints, had to significantly complicate their process to generate fakes that worked with a suitable consistency. So even if you think suitable source prints grow on trees, the point of significant skill, equipment, time and resources remains.

It's not at all clear that the absolute paranoiacs and the people saying that it's unlikely that any but a vanishingly small number of regular people will ever have Touch ID hacked are from the same set.

When you say it's not "a serious security mechanism", it sounds as if that's defined in some absolute terms. But if the effort to hack it is hundreds of times more difficult than the possible payoff from hacking it (which appears to be the case for nearly anybody but James Bond), then it acts as a serious security mechanism for that user's context. Literally nobody is going to make a mold of my finger to unlock my iPhone — they'd have to be absolutely insane to think that was worthwhile. So it's a serious security mechanism for me. Would it be a serious security mechanism to cover nuclear launch codes? Of course not.

> When you say it's not "a serious security mechanism", it sounds as if that's defined in some absolute terms.

You have to understand that the practice of cryptography has always had a military basis; the commercial/private use is ancillary.

So, what's "a serious security mechanism?" Presume you're a military commander during active war, whose battle plans are intercepted by an opposing nation. What is the likelihood, given the opposing nation believes your plan will lead to their complete destruction, that they'll be able to break the security in time to execute a counter-operation? A serious security mechanism is anything that reduces that likelihood.

Clever use of the word median to obscure the fact that you're conflating a two different attitudes which likely don't exist in the same person.

Okay, but if you steal a phone on the subway, why would you even bother unlocking it? Just sell it on ebay as a locked phone. Some bored teenagers will buy them up, unlock them, wipe them and then resell them for a few dollars more.

If Find My iPhone is on, that locked phone is essentially a brick, it cannot be activated even if completely wiped, since its still associated with your Apple ID on the server side.

You need to be able to sign in with the Apple ID to remove the association.

Heh. So you think...

I've already done that service for another, using some auto-unlocking tools. Takes all but 5 seconds, including USB negotiation. And it even gets past sim-locks.

My Samsung phone has a feature that requires you to blink in order to unlock the phone to ensure that you're not a still photo.

Of course, I don't actually use it because the face recognition is so bad, and nonexistent in the dark.

Apparently that can be defeated with Photoshop.

Or maybe a animated GIF image.

Animated gifs would today work. What if the camera focused on something behind you first and then the face? Would that bypass a 2D method?

On a camera with effectively infinite depth of field? Probably not.

Couldn't the camera even just focus on a face and then the neck as a point of depth? Honestly, all of these quick-check systems have countless flaws.

I'm ready to have a chip in my arm now.

The point is they're both in focus. The camera (lens) isn't able to focus on the face and not the neck.

Ehh, I haven't crunched the numbers, but that's not necessarily true. Instead of taking a still picture, use video to take a few images and generate a rough 3d image. While I don't think the initial face recognition on Android had it, I believe they (or someone else) did later.

I have no idea how finger print vs facial recognition compare in accuracy, but a decently implemented facial recognition system shouldn't be compromised by a still image.

> With face unlock, I just need a photo of the phone's owner.

face unlock now requires you to blink.

>I just need a photo of the phone's owner.

As they said when they unveiled the feature and people mentioned this: give them a little credit.

They may have said that, but Android 4.0's face unlock proved fairly easy to defeat with still photos, as many people demonstrated, e.g.:


I don't think you can call something a cute feature when it's turned on on most phones and is used to unlock them. I would guess that by far the majority of iPhone 5S's have TouchID enabled. I wouldn't be surprised if it's more than 90%. The feature is just that well executed.

I would be very surprised if it is that high now even with the early adopter skew. Reports say that last year it was around a quarter of smartphone users use passcode locks on their work phone (http://www.welivesecurity.com/2012/02/28/sizing-up-the-byod-...). I imagine 5S rates are higher than that, but 90% would be insanely impressive. When it comes to computer security, as usual, people's apathy is the biggest problem.

I'm sure opt-in/opt-out is a major factor, too. I don't have a 5S, but I'm pretty sure it's opt-out. I think even after upgrading to iOS7 I had to opt-in again to turn on the numerical pass code.

iOS setup flow basically points the user in the direction of setting it up.

Isn't passcode required to get exchange email on iOS?

That's an option set by your IT department. Annoyingly, mine does the same thing. It doesn't have to be that way.

At my work they have allowed the TouchID to be used with our security policy. I just haven't shelled out the money to buy a new phone.

Certain Japanese cigarette vending machines had photographic age detection algorithms. Japanese children used photos of Bruce Willis to buy cigarettes. Getting a photo of your face would be much simpler than getting your prints.

You touch your iphone's screen to use it, right? Getting a latent print isn't exactly difficult.

Acquiring a high-DPI scan of a fingerprint from someone's phone, printing it to a sheet of plastic with a high-DPI laser printer, then making a copy of the print out of liquid latex doesn't sound easy unless you're in the business of pentesting. Taking a picture of someone (or lifting it from a social network) to access their device does sound relatively easy.

If I was the kind of person who was worried about someone accessing the contents of my phone, I'd simply turn off touch ID and use a long password (or spend less money on a phone that didn't have a feature I wouldn't use).

I've gone down the route of using both a long password and touch ID simply because touch ID works so reliably - I've never had to enter my password. That way someone either needs my long password or a physical copy of my fingerprint to access my device. I'd say that's much better than the 4 digit numerical code I relied on previously - which had been seen by friends and family.

See the problem here is that a compromised fingerprint betrays more resources than the system it was meant to protect.

Your iPhone has a picture of your fingerprint inside of it now. It's just a picture, and it's likely a very good picture at that.

What happens when I swipe your phone for a second or two, plug it into my machine, and download the high-resolution picture of your fingerprint?

Do you use a fingerprint lock at home? If so, I've just broken into your home.

Do you use a fingerprint lock for the datacenter you administer? I've just gained access.

Do you own a registered gun? How'd you like me to commit a murder with your fingerprint on it?

This kind of attack is the missing piece of my argument. When someone figures out how to do this, these issues are going to become very important very quickly.

Let's suppose that Apple introduces a feature that syncs your fingerprint across many devices. How convenient, right? Let's say that means keeping all of your fingerprints on Apple servers. Let's now suppose that, like a credit card database, an attacker is able to obtain a leaked copy of the fingerprint database of every iPhone user. The recent touchid hack shows that fingerprints can be spoofed for high-end scanners. What then?

Sure, this scenario is very unlikely. I'm totally in slippery-slope land here.

But when we choose to turn up the dial on convenience to sacrifice more security, we must be prudent, carefully considering the consequences of our intentional ignorance.

TouchID has some tangible implications for markets where some security is needed and convenience is already compromised. For example, my corporate policy disallows pattern lock and requires I use a pin. This is majorly annoying and is enough for me to consider a different device.

The big enterprise market is an awesome place to get a foothold in - they are not really price-sensitive and hate change. Not that Apple has any problems in that segment, but extra lock-in doesn't hurt.

Where this becomes semi-dangerous is in assuming that now your phone is ironclad and you can store whatever on it totally unprotected. The best route to safety is to make informed decisions based on your own risk-tolerance and not be a lemming.

People keep making this analogy but Face Unlock is not being promoted as ever being used for anything but unlocking the phone. Touch ID is the foundation of an entire mobile identity/payment scheme.

An ideology of "Its good enough to thwart 99.9% of the population, therefore its good enough for me." is a very harmful ideology to have when it comes to security because you do nothing to deter mass adoption of the insecure technology.

While an individual person might not be at that great of risk because the amount of crackers willing to exploit touchID is limited to a minute demographic of people, the real harm comes when many iphone owners who share your ideology start using touchID instead of the more secure locking features their phones provide just because its more convenient.

Consider what happens when there are 100,000,000 million insecure phones out in the world. To a motivated cracker/spy/terrorist this is a huge ocean of potential suckers/victims vulnerable to exploitation. While most of these people aren't worth targeting, 1000-10,000 people might be.

This is why rejecting broken security technology is a cause everybody should rally behind. Even if you are never a victim of a black hat, you may very well suffer indirect consequences from the exploitation of somebody else.

Does this go for the locks on your front door as well? As in "nobody should have front door locks that aren't 100% secure even against eg. terrorists"?

If such a lock existed (it doesn't, AFAIK), I would certainly want it on my door. I would still seriously consider it even if it was dramatically more expensive than a regular lock. Just because there are trade offs in security doesn't mean that anyone should be content with the state of the art and not push for improvements, or push against regressions. I'm not sure myself, but people see TouchID as a regression.

This is a good point. But imagine this attitude is adopted and becomes commonplace. People WILL start becoming lax, and people who should not be storing critical information on their phones, or who don't realize that its critical ARE going to lose their phones and they ARE going to get cracked.

I guess the question at that point is, is a 4-digit code better or worse? I'm not fielding that one...

And I think that's the main problem with it. People think that it's actually a true replacement for a password, even though it's not.

Give me a real world scenario where this distinction matters and affects real outcomes. For real users, not people who are trying to protect themselves from the CIA.

You have your phone in your pocket, I want to access your data.

With touch unlock, all I need is my buddy to hold you for 3 seconds while I twist your arm and unlock the phone.

With passcode unlock, getting the password out of you will take some more effort.

Oh, and in this scenario, I can be a thief, or a police officer, or a borders agent, or an abusive husband, or many other things :)

> With passcode unlock, getting the password out of you will take some more effort.

Given that there are two people, capable of violence, against the phone owner I'm not sure that getting the password is going to be that much trouble.

Forcing someone to put their finger on a phone is a matter of seconds. No matter how you put it, getting a password is harder and lengthier.

Getting a password requires consent, even if it's under duress. Getting your finger doesn't require you to agree with anything.

If you use that fingerprint code, any thief that steals your phone and wants your data will have it. It offers no protection at all.

Now, if you arguee that no thief will ever want your data (and you'd be probably right), it doesn't matter if you lock your phone or not, and it won't matter how you do that. In this case, locking schemes are completely useless.

(Now, I'd be content with a fingerprint reader that recognizes a finger - any finger - and unlocks the phone. It's enough protection if my pocket can't defeat it. Unlocking only by specific fingerprints looks like a pain, nobody else will be able to unlock my phone? Thanks, but I'll pass that.)

As a side note, I'd be worried that anyone can wipe my phone if they get their hands on it for a minute.

That's a option that you get to disable.

> And if they fail to enter my code 10 times, the phone is wiped.

You must not have kids, because that statement scares the shit out of me.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact