Touch ID Security
So, I am seeing a whole lot on Touch ID being published today especially since Chaos Computing Club claims to have fooled Touch ID with a false finger created from a 2D smudge on glass. I fully believe that Touch ID increases security for the average consumer and thwarts the average thief. But what about the enterprise user? You have to convince corporations to allow access without password entry. I've had some thoughts on this that I wanted to share here and get feedback.
First off, CCC's claims obviously need to be verified. If they are true then we need to accept that capacitive fingerprint sensors which measure differences in electrical potential between layers of skin and hills and valleys on your fingerprints apparently can be fooled by a 3D approximation of your fingerprint created from a 2D smudge on a piece of glass. Maybe the sensors are simply not that sensitive to detect differences or setting the sensitivity that high causes too many false negatives. This means the accuracy of measuring the depth of each fingerprint ridge is not enough to tell the difference between the actual finger and the fake (assuming the fake was created from a 2D print lifted form glass)
If this is the case, then how do you make Touch ID more secure through software? We know that Touch ID forces password entry in the event of 3 things:
1) iPhone has not been unlocked in 48 hours
2) iPhone has been rebooted
3) iPhone has had 5 failed attempts to unlock without success via Touch ID
Producing the replica fingerprint would either have to be something a thief would do before targeting you to steal your iPhone or it would have to be something that took less than 48 hours. It would seem to me that step 1 to make Touch ID more secure is to let the user select the timeout period for Touch ID. For me, a 12-hour timeout would be more than adequate. But if I could choose this timeout, it would limit the amount of time a thief would have.
You can also imagine that a thief is going to first try your home button to even see if you have locked your iPhone. Touch ID could detect a bad fingerprint with that and immediately reduce the timeout to 30 minutes or 1 hour if a good fingerprint or password is not provided. Essentially, one failed attempt reduces the timeout significantly. An actual user would likely simply try again in a matter of seconds, but a thief would then have to try to lift your fingerprint to get in.
Find my iPhone
Under iOS 7, Find my iPhone can remotely wipe an iPhone so long as it can be connected to over its radios. Obviously, allowing Control Center on the lock screen would allow a thief to put the phone into Airplane Mode and/or disable WiFi. So disabling Control Center on the lock screen is wise. However, most thieves simply shut the power off on the device. However, with Touch ID, shutting off the power and rebooting forces Touch ID to require a password entry. The CCC video clearly shows the device being properly unlocked moments before the fake fingerprint was allegedly used to unlock the iPhone. So how does a thief circumvent that? The thief would not only have to shield the device from radio signals after stealing it, but also have to shield the device from radio signals while lifting the fingerprint from it. If the device can be reached via Find my iPhone service then a remote wipe can be initiated or the phone could be placed into lost mode.
What can Apple do here to improve security further? I would say to add a second Touch ID timeout. If the iPhone goes out of contact with Apple's Find my iPhone servers for more than 3 or 4 hours then simply require password entry for Touch ID. This would really limit the amount of time that a thief would have to produce a working 3D replica of your fingerprint.
Some have said that Touch ID should be a second factor for authentication rather than a primary factory. I agree that this option should be possible, but using a password seriously impedes on convenience. Factors used for authentication are typically: (1) Something you know, (2) Something you are, or (3) Something you have. A passcode or password is something you know, a fingerprint is something you are, but what about something you have? Apple is reportedly working on an iWatch. What if Touch ID only functioned without a password if the iPhone was in bluetooth radio range of your iWatch? Then if a thief managed to steal your iPhone but failed to get your iWatch that thief would be unable to unlock the iPhone with a false fingerprint and would be required to enter a password. Secondly, what if an iWatch would warn you if the iPhone went out of range by using the new iBeacon API? What if that warning gave you the option of immediately attempting to erase the iPhone via Find my iPhone?
What other ideas do you folks have about making Touch ID enterprise-class security while maintaining the convenience?
User Zunjine made a comment below that I think needs to be promoted. He liked the ideas I had about decreasing the timeout, but suggested that instead of requiring the passcode in the event of Airplane mode toggling, being out of range of Find my iPhone for a long time, or having a failed authentication attempt, to instead require a second fingerprint to be provided. That way the attacker would have to be able to lift two distinct prints. You could make your primary finger your thumb and index fingers, but then have your pinky finger trained as well since your pinky finger is likely never to leave a decent print on your iPhone. Then configure the iPhone to request the "verification" fingerprint in the event of suspected theft being detected. So it would specifically ask for the pinky finger in that case.