Security & the iPhone 5s - Separating Fact from Fiction

By TMCnet Special Guest
Greg Cannon
  |  November 05, 2013

After just two days on the market, the new iPhone (News - Alert) 5s fingerprint reader was spoofed, making for some spirited debate. After reading these stories, some have jumped to the conclusion that biometrics are an immature technology not ready for broad consumer use. As biometric identification technologies continue to become more and more a part of our everyday lives, it is essential to separate fact from fiction using science, not sensationalism, as our guide.

Apple’s (News - Alert) initial premise for the introduction of the TouchID fingerprint sensor in the new iPhone 5s is, at its core, was as a convenience feature. More than 50 percent of current iPhone users cannot be bothered to protect their phones with a simple four-digit pin code; a simple biometric scan offers an effortless alternative. But most users don’t make the distinction between convenience of a biometric and the level of security it provides in certain applications.

There is a tradeoff between security and convenience. On one hand, we could simply have no security, with the benefit that our iPhone is instantly and effortlessly ready to use. That might be acceptable if the phone isn’t used to store sensitive data or enable purchases or other financial transactions. At the other end of the spectrum, we might want to strongly protect our iPhone, requiring us to enter lengthy pin codes, passwords, or even custom gestures. What Apple has done is to introduce a new operating point on this continuum. A biometric is obviously more secure than a simple slider, and the marriage of a biometric with a pin code delivers all three of the key elements of identity authentication – something you are, something you have, and something you know – providing an exceptional level of security.

We should also remember that the effort an attacker would need to spoof a biometric may be more difficult than using surveillance techniques to acquire a user’s pin code. Additionally, Apple’s implementation of the technology requires multiple levels of security, such that a user must at times provide both the biometric and the pin code. Again, it is not about a failsafe lock, but rather managing expectations of the technology’s intended use, and establishing an effective operating point that combines a mix of convenience and security that users are comfortable adopting.

It is important to note that biometrics speak to our identity – who we are, and as such are not necessarily secret. The image of your face is not a private matter. You leave your fingerprints on most of the surfaces you touch. While they are not private, they are associated with you.  This leads to several use cases for which biometrics are ideally suited. 

When faced with the challenge of identifying someone without a credential, a biometric is the best known technology. This capability has been effectively used to enroll individuals for trusted credential programs, perform background checks, authenticate transactions, combat identity fraud, and safeguard against multiple enrollments for the same individual. For identity verification on an iPhone, we can understand that while we might be able to envision a process by which we can manufacture fake fingerprints, it is obviously more secure than a simple slider or unlock gesture. Furthermore, the costs to fake a fingerprint are not trivial. It is expensive to obtain, manufacture, and tricky to apply – making it ineffective in an attended biometric capture scenario, and highly challenging even in an unmonitored scenario.

The important thing to understand about this technology, in this application, is consumer value. Apple has correctly deemed that not having to enter a four-digit pin code to access the iPhone 5 is valuable to a consumer and that this feature makes the device, more not less secure. The world is shifting rapidly to biometrics to facilitate secure transactions pervasive in our everyday lives. Just as innovations such as Velcro and GPS migrated from military and national security realms to the consumer, so too are biometrics. Our health records, banking and access to data is becoming more and more linked to unique biological identifiers rather than biographical identifiers that can easily be stolen or faked. Much like the iPhone itself, these technologies, driven by consumer demand and expectations, will become invaluable tools to safeguard our privacy while adding value and convenience to our daily lives.

Greg Cannon is senior vice president of standards and architecture for Cross Match Technologies Inc. (

Edited by Stefania Viscusi