Hacker News new | comments | show | ask | jobs | submit login

s/TouchID/Face Unlock/g and back up about 2 years and you can find all the same things said about Ice Cream Sandwich.

It's a cute feature. It's not going to change the world, sell another billion phones, push other companies out of the market, or save anyone from serious attacks. It's probably a good idea to enable it anyway.

Except TouchID, from what I gather, actually works. Not "works" in the sense of keeping bad people out, but "works" in the sense that when I use it my phone unlocks. I tried face unlock briefly on the Google Nexus I've got and disabled it shortly after when I found that it was unreliable. Poor lighting, too much lighting, a bad hair day, it wasn't even at 80% for successful unlocks.

> Not "works" in the sense of keeping bad people out, but "works" in the sense that when I use it my phone unlocks.

I think that's the key distinction here. In any given authentication scheme it's important not to have false positives (incorrectly identifying a bad guy as you) or false negatives (incorrectly identifying you as a bad guy). In this case false positives break security, false negatives break usability. However, false positives won't outright stop adoption whereas false negatives will.

To be honest, I disabled face unlock the moment my brother unlocked it with his face... Yeah, touch id won't let that happen.

Fake unlock was slow and unreliable when it first came out 2 years ago but is pretty darn good nowadays, and just as fast as TouchID. No, it doesn't work in pitch dark or if you're wearing sunglasses. But I'll take "works 90% of the time" over an unlock feature that requires a hardware component that pretty much locks you into 1 form factor.

The problem is that you need to think about this when you unlock your phone. With TouchID you always unlock your phone with your finger.

"With TouchID you always unlock your phone with your finger"

With glove, dirty or too much sweat, I believe it does not work. So, it's not 'always'.

Not to mention, by the time I am looking at the phone, I want it already unlocked. Sometimes I want it unlocked in my pocket (Siri?). TouchID allows me to do that. Face unlock does not.

When it works fast, face unlock can be rather stunning. Occasionally it would catch a glimpse of my face obliquely and unlock before I even got to position it correctly.

However like others, I turned it off because the performance was highly variable, and the failure mode consists of a many-seconds wait which can be extremely infuriating (even embarrassing, as as you stare blankly at your phone for 5 seconds at a party, trying to quickly get someone's number or something).

does touchid have the disadvantage of keeping your friends and family unable to use your phone in cases of emergency? 95% of the time, my phone isnt next to adversaries, but trusted parties. a password or code is transferrable, fingerprint isnt.

edit; not 911emergency, but casual situations of full or dirty hands..

You can always just use a PIN to unlock. It's probably safe to assume that Apple has thought this through (no need to remind me of the supposed chaos break-in).

You can add ten fingers, or you can give them your code, or they can dial 911 with a fully locked phone. So no, it's slightly easier for a relative to use in an emergency than a typical locked phone.

Mine when locked has a small touch section labeled 'emergency call'. I assume it goes through to 911 (or relevant number). I'm tempted to press it but it's not an emergency. I assumed most phones had something similar.

Edit: I went to it. I leads to a special dialer. Instead of voicemail the button leads to a special emergency contact (or list). It only shows 4 inputs on top so I am guessing that is the limit so you can't dial anything but emergency services (that are 4 numbers or shorter). Then it goes back to my lock screen.

It is more difficult to defeat a touch sensor than face unlock. With face unlock, I just need a photo of the phone's owner.

With a fingerprint unlock, I need to go to at least a little trouble to fake the fingerprint.

Depends on scenario. If you steal a phone from a bag on the subway, you'll never be able to get that photo but can probably lift the print right off the phone itself. So maybe iOS has better-yet-still-mediocre protection against snooping yet inferiorly-mediocre guards against identity theft. Yawn.

In neither case is the phone meaningfully protected against serious attack. Why must we have this argument? It's a cute feature. Use it.

> but can probably lift the print right off the phone itself

What utter unmitigated rubbish. It is extremely unlikely that even a fully qualified CSI would be able to lift a full print from a mobile phone, let alone one that that can be reliably reproduced in the manner CCC described.

On release, people were saying it was unhackable. Molds were made that faked it within a week. You really want to bet that no one will make this work? With a target this high profile?

My 5 year old son was quite literally dusting for fingerprints at the local science museum last weekend. We have some shockingly high fidelity prints of both our thumbs showing all the ridges. And all we had to do was squeeze a piece of plastic. Fingerprints have even less identifying detail than faces. You've been hoodwinked by Apple's marketing, and I'm willing to bet this isn't the first time.

Yup - remember the whole "sub dermal RF fields - so it can't be a fake finger, or your finger can't be cut off - has to have a pulse and be live", from Apple's own marketing?

Yeah, not so much. The fakes didn't even pretend to be live tissue.

It's amazing rant with any Apple story, there you are with an 'expert' opinion followed by a thinly veiled troll. I want to see your 5 year old son lift near perfect prints from a typical iPhone, no deliberate placing of prints mind you. I then want to see you recreate the CCC "hack" with the correct print. It's time to put up or shut up.

but can probably lift the print right off the phone itself

That doesn't seem to be the case to my knowledge. The evidence from the successful attack is that you need an excellent-quality print from one of the specific fingers that has been programmed into the phone. Some phones probably have that on them, but it appears likely that many do not.

Can't someone write an app that stays in the background on their phone and copies fingerprints of people who touch your button?

Under the assumption that the sandbox works, no.

I meant jailbroken, of course.

The "sandbox" being referred to is the "Secure Enclave", which apparently is what ARM calls "TrustZone": http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-... The data isn't accessible to even the OS. So, in theory at least, jailbreaking doesn't make it any more accessible.

Ah, that's interesting, thanks, I didn't know about it.

there ll be an app for that.

edit: build an app, get your colleague, significant other etc touch it on any touchscreen phone or get on camera and create a 3d printed finger. 3d printing vs touchid...maybe

I'm pretty sure the GP was talking about the likelihood of a given phone having an appropriate-quality print [1], which does seem low.

But putting that aside, your hypothetical app would -- using the demonstrated method -- 'lift' that excellent quality print, scan it at 2400 dpi, (clean up said print), print it on a transparency at 1200 dpi, mask it onto photosensitive PCB, develop/etch/clean the PCB, spray graphite and apply wood glue to the mold.

It might make for a slightly-more-plausible-than-normal gadget sequence in a Mission Impossible movie, but it's not much of a concern for the target market. [2]

[1] Despite what decades of shows like CSI might lead us to believe, this is not a simple or error-free process. And each mistake irrecoverably destroys the print.

[2] Most of that market doesn't even use a passcode today and many that do are still using surprisingly bad PINs (birthdays/anniversaries/1234)

I find it amazing that when faced with a general question about a "security" feature the median internet tech nerd responds with an attitude of absolute paranoia (c.f. 4096 bit RSA keys, multi-word pass phrase choices, ssh key forwarding pedantry, general NSA tinfoil hatism....)

Except when confronted with an Apple product. Then it's all "Nah bro, relax. No way could you lift a fingerprint from a glossy phone screen". :)

I'll say it for the third time. It's cute feature (like face unlock was before it). Use it and enjoy it. If you honestly think you're buying a serious security mechanism you're simply wrong.

You see two different classes of responses because there's two different use cases.

There's security that geeks advocate for ourselves and our own implementations (often things we only have to set up and maintain infrequently) and then there's security that normals actually use (often things they have to authenticate with several times a day).

And I must have missed it, if anyone's been arguing this is a serious security mechanism. As far as I've seen, it's been lauded as (not much) better than a passcode, but, primarily, convenient enough to get people to use it instead of nothing, bringing up the relative security of a still-fairly-insecure bunch.

And you may want to re-read the discussion over the faked-print attacks. It isn't about (im)possibility. It's about the time, expertise and equipment involved and the likelihood of success being too expensive to be worthwhile for gaining access to most phones. [1]

And if we're wearing our "serious" security hats, I still don't see any reason to worry too much about print faking, as its core assumption is a skilled attacker who has unfettered physical access to our device, unbeknownst to us and beyond our control. And at that point, the game is already over.

[1] CCC themselves, with ideal source prints, had to significantly complicate their process to generate fakes that worked with a suitable consistency. So even if you think suitable source prints grow on trees, the point of significant skill, equipment, time and resources remains.

It's not at all clear that the absolute paranoiacs and the people saying that it's unlikely that any but a vanishingly small number of regular people will ever have Touch ID hacked are from the same set.

When you say it's not "a serious security mechanism", it sounds as if that's defined in some absolute terms. But if the effort to hack it is hundreds of times more difficult than the possible payoff from hacking it (which appears to be the case for nearly anybody but James Bond), then it acts as a serious security mechanism for that user's context. Literally nobody is going to make a mold of my finger to unlock my iPhone — they'd have to be absolutely insane to think that was worthwhile. So it's a serious security mechanism for me. Would it be a serious security mechanism to cover nuclear launch codes? Of course not.

> When you say it's not "a serious security mechanism", it sounds as if that's defined in some absolute terms.

You have to understand that the practice of cryptography has always had a military basis; the commercial/private use is ancillary.

So, what's "a serious security mechanism?" Presume you're a military commander during active war, whose battle plans are intercepted by an opposing nation. What is the likelihood, given the opposing nation believes your plan will lead to their complete destruction, that they'll be able to break the security in time to execute a counter-operation? A serious security mechanism is anything that reduces that likelihood.

Clever use of the word median to obscure the fact that you're conflating a two different attitudes which likely don't exist in the same person.

Okay, but if you steal a phone on the subway, why would you even bother unlocking it? Just sell it on ebay as a locked phone. Some bored teenagers will buy them up, unlock them, wipe them and then resell them for a few dollars more.

If Find My iPhone is on, that locked phone is essentially a brick, it cannot be activated even if completely wiped, since its still associated with your Apple ID on the server side.

You need to be able to sign in with the Apple ID to remove the association.

Heh. So you think...

I've already done that service for another, using some auto-unlocking tools. Takes all but 5 seconds, including USB negotiation. And it even gets past sim-locks.

My Samsung phone has a feature that requires you to blink in order to unlock the phone to ensure that you're not a still photo.

Of course, I don't actually use it because the face recognition is so bad, and nonexistent in the dark.

Apparently that can be defeated with Photoshop.

Or maybe a animated GIF image.

Animated gifs would today work. What if the camera focused on something behind you first and then the face? Would that bypass a 2D method?

On a camera with effectively infinite depth of field? Probably not.

Couldn't the camera even just focus on a face and then the neck as a point of depth? Honestly, all of these quick-check systems have countless flaws.

I'm ready to have a chip in my arm now.

The point is they're both in focus. The camera (lens) isn't able to focus on the face and not the neck.

Ehh, I haven't crunched the numbers, but that's not necessarily true. Instead of taking a still picture, use video to take a few images and generate a rough 3d image. While I don't think the initial face recognition on Android had it, I believe they (or someone else) did later.

I have no idea how finger print vs facial recognition compare in accuracy, but a decently implemented facial recognition system shouldn't be compromised by a still image.

> With face unlock, I just need a photo of the phone's owner.

face unlock now requires you to blink.

>I just need a photo of the phone's owner.

As they said when they unveiled the feature and people mentioned this: give them a little credit.

They may have said that, but Android 4.0's face unlock proved fairly easy to defeat with still photos, as many people demonstrated, e.g.:


I don't think you can call something a cute feature when it's turned on on most phones and is used to unlock them. I would guess that by far the majority of iPhone 5S's have TouchID enabled. I wouldn't be surprised if it's more than 90%. The feature is just that well executed.

I would be very surprised if it is that high now even with the early adopter skew. Reports say that last year it was around a quarter of smartphone users use passcode locks on their work phone (http://www.welivesecurity.com/2012/02/28/sizing-up-the-byod-...). I imagine 5S rates are higher than that, but 90% would be insanely impressive. When it comes to computer security, as usual, people's apathy is the biggest problem.

I'm sure opt-in/opt-out is a major factor, too. I don't have a 5S, but I'm pretty sure it's opt-out. I think even after upgrading to iOS7 I had to opt-in again to turn on the numerical pass code.

iOS setup flow basically points the user in the direction of setting it up.

Isn't passcode required to get exchange email on iOS?

That's an option set by your IT department. Annoyingly, mine does the same thing. It doesn't have to be that way.

At my work they have allowed the TouchID to be used with our security policy. I just haven't shelled out the money to buy a new phone.

Certain Japanese cigarette vending machines had photographic age detection algorithms. Japanese children used photos of Bruce Willis to buy cigarettes. Getting a photo of your face would be much simpler than getting your prints.

You touch your iphone's screen to use it, right? Getting a latent print isn't exactly difficult.

Acquiring a high-DPI scan of a fingerprint from someone's phone, printing it to a sheet of plastic with a high-DPI laser printer, then making a copy of the print out of liquid latex doesn't sound easy unless you're in the business of pentesting. Taking a picture of someone (or lifting it from a social network) to access their device does sound relatively easy.

If I was the kind of person who was worried about someone accessing the contents of my phone, I'd simply turn off touch ID and use a long password (or spend less money on a phone that didn't have a feature I wouldn't use).

I've gone down the route of using both a long password and touch ID simply because touch ID works so reliably - I've never had to enter my password. That way someone either needs my long password or a physical copy of my fingerprint to access my device. I'd say that's much better than the 4 digit numerical code I relied on previously - which had been seen by friends and family.

See the problem here is that a compromised fingerprint betrays more resources than the system it was meant to protect.

Your iPhone has a picture of your fingerprint inside of it now. It's just a picture, and it's likely a very good picture at that.

What happens when I swipe your phone for a second or two, plug it into my machine, and download the high-resolution picture of your fingerprint?

Do you use a fingerprint lock at home? If so, I've just broken into your home.

Do you use a fingerprint lock for the datacenter you administer? I've just gained access.

Do you own a registered gun? How'd you like me to commit a murder with your fingerprint on it?

This kind of attack is the missing piece of my argument. When someone figures out how to do this, these issues are going to become very important very quickly.

Let's suppose that Apple introduces a feature that syncs your fingerprint across many devices. How convenient, right? Let's say that means keeping all of your fingerprints on Apple servers. Let's now suppose that, like a credit card database, an attacker is able to obtain a leaked copy of the fingerprint database of every iPhone user. The recent touchid hack shows that fingerprints can be spoofed for high-end scanners. What then?

Sure, this scenario is very unlikely. I'm totally in slippery-slope land here.

But when we choose to turn up the dial on convenience to sacrifice more security, we must be prudent, carefully considering the consequences of our intentional ignorance.

TouchID has some tangible implications for markets where some security is needed and convenience is already compromised. For example, my corporate policy disallows pattern lock and requires I use a pin. This is majorly annoying and is enough for me to consider a different device.

The big enterprise market is an awesome place to get a foothold in - they are not really price-sensitive and hate change. Not that Apple has any problems in that segment, but extra lock-in doesn't hurt.

Where this becomes semi-dangerous is in assuming that now your phone is ironclad and you can store whatever on it totally unprotected. The best route to safety is to make informed decisions based on your own risk-tolerance and not be a lemming.

People keep making this analogy but Face Unlock is not being promoted as ever being used for anything but unlocking the phone. Touch ID is the foundation of an entire mobile identity/payment scheme.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact