One of the “innovative” features of the new Apple iPhone 5S is TouchID. TouchID is an integrated fingerprint recognition system. Once your fingerprint registered, you will be able to unlock the phone by pressing your finger on the home button. Is it secure?
On Saturday, the German Chaos Computer Club (CCC) announced that they cracked TouchID. According to them, the technology had nothing new excepted a higher resolution sensor. Thus the countermeasure was to use the traditional proven methods with higher resolution. Of course, it worked.
More interestingly, the official announcement of CCC highlights two major limits of biometrics:
- It is not secure; Most of the systems can be lured.
- Biometrics cannot be revoked! Once cracked, your fingerprint will always valid!
Nevertheless, some comments to mitigate these comments:
- Some systems are more sophisticated. for instance, some fingerprint systems check whether the applied “finger” is living or a piece of latex. These systems are more expensive of course.
- Some biometrics systems such as venous system recognition are far more difficult to lure. Their price is currently out the reach of consumer market.
- As many people do not use pin to lock their phone, using fingerprint may be a more acceptable solution for many people. This would be better than using no access control to the phone, as long as the user does not blindly believe that the phone’s security is absolute.