Fingerprints and hammers

With the recent announcement of Apple iPhone 5s, I have been doing some thinking about security.fingerprint

To begin, I don’t believe at this point there is a single technology that will give us perfect security. Everything has its pros and cons. We have cryptography, passphrases, biometrics and challenge/answer models at our disposal to keep all sorts of things secure.

Until recently, we have mostly relied on passphrases and encryption to keep our digital selves safe with only a few cases including biometrics and challenge/answer systems to replace or augment the passcode concept.

Biometrics as in fingerprint scanning does help to a point and this is where I will start “thinking out loud”.

I have no problem with the technologies we have available. It is rarely the tool itself that is weak. It is the way that it is used that exposes weaknesses in any application.

Think of a hammer. Great for driving in nails when used correctly but if you hold it backwards, the chances of driving a nail home becomes hard and introduces a way for bad things to happen. Security is no different.

Apple has said the right things when describing the technology and the implementation of fingerprint scanning. It is not uploaded anywhere and is fenced off from all parts of the phone apart from the iOS 7 software. No third party apps are given access and the fingerprint is not uploaded or made accessible to anyone. A big tick there but there is a gotchya.

Apple is great at making things simple and easy to use. Good security typically is fiddly and slows down access when it does a good job. This is where we look at how Apple will hold the hammer. I am concerned that the fingerprint will be used as the only method of security when authenticating with the device and replace the PIN or passcode. This is a problem because we are replacing one technology with another, we are not adding anything to the security barrier around our digital selves. Biometrics have been circumvented in the past and will continue to do so. Good security has been given to us in the form of two factor authentication from the likes of Google where an SMS is sent to a nominated device after entering a password to gain access to a service. This puts up a second barrier of access making unauthorised access much harder. This is the current idea of what makes better security. Simply replacing the password with the SMS will not work. This is where I make my suggestions for better phone security using the 5s.

I would like to see the option to have both fingerprint AND passcode authentication made possible with the iPhone 5s. For some this will be a hassle but for the security conscious this would be a big step in the right direction (think corporate/business customers, media, security etc.) where security is the primary concern and ease of access comes in a distant second.

For the average user this will also be a good idea and we have to start accepting that with the increasing value of our digital selves that we have to take extra precaution with our online security. Decades ago, we would not worry about locking the doors of our homes or cars but today our homes are more like fortresses with deadbolts, security grilles, monitored alarm systems, chemical tagging, video surveillance and neighborhood watch. This proves that our attitude to security can change and we can make at least 2 factor authentication a part of our day to day lives and we will accept that this is a part of what we need to do to make our electronic lives secure.

We do not have to make our security perfect because it is nearly impossible. All we have to do is make our security technology and practices better than others. Apple has a real shot to truly make the most secure phone on the market simply by holding the hammer the right way.

I know people will ask me “Will you buy the iPhone 5s for the fingerprint security?” but I will have to say no at this point because I don’t know how it will be implemented. However the slo-mo video might win me over.