Partner Article
Touch ID: Achilles heel for iOS 9 and iPhone 6s security
We live in a world where everyone expects instant, always-on access to information, where if you haven’t already got ‘an app for that’, you can download one within minutes. Alongside every development team are user interface and graphic designers as well as user experience experts. Product Management and Product Marketing think as much about ease-of-use as they do about features.
Convenience sells. But unfortunately, when it comes to security, convenience can also come at a price.
Consumers everywhere have now started receiving their new iPhones. Like previous models, the iPhone 6s and iPhone 6s Plus are equipped with Apple Touch ID. Unlocking your iOS device just by placing your finger on the home button is highly likely to make you smile at the sheer simplicity of the feature the first few times you do it. But the reality of using Touch ID as the only means of authenticating to sensitive apps - such as banking applications– is a perfect example of convenience taken too far.
Apple’s Touch ID fingerprint identity sensor is not able to provide a high enough level of assurance that the person using the device is the same person authorised to use an application. Apple has no concept of a fingerprint belonging to an individual user. Despite rumours of the introduction of user profiles in iOS 9, multi-user support is still in development.
If a device is shared, any user can add a fingerprint to Touch ID. If unauthorised access is obtained to the device (by guessing or otherwise obtaining the passcode as opposed to an opportunist accessing an already unlocked iPhone or iPad) then the unauthorised user can also add their fingerprint for later use.
Any application that integrates with the Apple Touch ID API will simply receive a response that a trusted fingerprint has been used – there is no information as to which fingerprint it was and whom it belonged to. Access to an application would be granted to anyone that has saved a fingerprint over the life of the device.
In the home, the worst case scenario may be that your partner or children can use the fingerprint they’ve stored to quickly and easily access your banking application - or any other application that accepts Touch ID as a replacement for much less convenient passwords. While this may be acceptable to some (don’t get me wrong I trust my children, mostly), it’s potentially a dangerous approach for any device that’s used by multiple individuals in an enterprise environment.
If a device is no longer going to be shared, changing the passcode alone is no longer enough to make that device your own. You need to delete all of the stored fingerprints as well.
Maybe iOS 9.1 or 9.2 or 10.0 will be different, but until Apple adds the concept of users - and fingerprints belonging to individual users – iPhone owners should not use Touch ID as the only means of authentication for applications containing sensitive information.
- Richard Walters, General Manager and Vice President of Identity and Access Management (IAM), Intermedia -
This was posted in Bdaily's Members' News section by Richard Walters .
Our Partners
Is the UK losing ground in life sciences investment?
Construction workforce growth can't be a quick fix
Why it is time to give care work a makeover
B Corp is a commitment, not a one-time win
Government must get in gear on vehicle transition
Growing a biotech business in the North East
A legacy in stone and spirit
Shaping the future: Your guide to planning reforms
The future direction of expert witness services
Getting people into gear for a workplace return
What to expect in the Spring Statement
Sunderland leading way in UK office supply market