UPDATED 21:11 EDT / SEPTEMBER 11 2013

NEWS

Why The New iPhone 5S Fingerprint Sensor Will Never Replace Passwords

There’s a ton of buzz around the new iPhone’s Touch ID Fingerprint Sensor feature and there’s been a whole lot of speculation that passwords are dead. I even saw the headline on Drudge that said just that. This all seems quite dandy, passwords are a problem right? They’re hard to remember, there’s all these requirements around keeping them complex, people have to reset them all the time and what about those password reminder things – What was my high school’s mascot again? Which email did I use when I registered? With all these real inconveniences it’s little wonder that many are looking at this technology as the next big thing and wow security will be so tight because no one can copy your fingerprint, right? Actually that notion is quite wrong, let me explain.

Your fingerprint – it’s yours and no one else has the same one. Just like any biometric such as iris scanning, vein mapping as a “human bar code”, and even your own heartbeat profile, every single person on the planet has their own. Sounds great doesn’t it? The ultimate in security, except not really. We’ve probably all seen the improbable, but not impossible action movie situations where a villain rips a guy’s eye out, cuts off a finger, or puts on some special hi-tech gloves that can reproduce the target’s fingerprints.  It’s not a big secret that these things have been defeated before in the past with high-res picture of eyes, copies of fingerprints, and so on. Maybe the new iPhone technology will detect these things better, who knows so I’ll move along to avoid bordering on absurd anyway.  What I’m talking about is far simpler and much more common than that.

The bottom line is that somewhere, at some point that fingerprint, that heartbeat profile, that iris scan is translated into some form of hash file, no matter what it becomes digital. It’s exactly the same kind of hash that hackers can use to crack systems and they do it all the time. There are tools out there that can do this for you even if you’re barely technical. That’s the reason this technology will never ever replace passwords ever, especially in an enterprise environment. So drop that pipe dream. Passwords and password management can be a pain to users, but they are absolutely essential and it’s something that indeed needs to change from time to time. There’s just no way around that. The basics of multi-factor authentication requires the two or more following things can be used to authenticate the user.

“Something only the user knows” – this is a password
“Something the user has” – this is a token
“Something the user is” – this is inherence, or biometric

Biometrics have been around for a good long while, you can find scanners on laptops and systems that are several years old. Yes, the quality of these products was not always great, and that was partially due to the software used to implement biometrics. Nifty, but largely unused and there’s good reasons why. Biometrics are flawed as the primary source of authentication because it is vulnerable to replay attacks, meaning an automated or reproduced digital authentication attempt can be easily executed because the biometric is always the same. To put it another way, if biometric data that is being used like this is compromised, it’s game over.

Imagine you have a corporate hash of information like this that you can never change because you can’t ask everyone to change their fingerprints, or change their eyes and then someone p0wns that. All bets are off. All your data is at risk, all your archived data is at risk, your network is at risk – it’s like having a set of keys that never change. The best the enterprise can hope for is that a fingerprint sensor, no matter how accurate or technologically impressive it is can be used as a second or even third factor in multi-factor authentication.

So in that role, in multi-factor authentication, I have good feelings about fingerprint sensors and security  Anything further than that it means Apple-ites can use this in a bunch of non-corporate ways, but remember not to leave your fingerprints lying around or fall asleep with your phone nearby if you care about much on your phone. Wear gloves ALL THE TIME, except when you want to unlock your phone.  Don’t forget that your fingerprints are also now being stored on your phone, which could wind up who knows where if anyone is doing some collection. (ahem, NSA?)  To the infosec community, I’m preaching to the choir here.  However if there’s any shop out there that thinks this nifty, easy to use technology is going to help out your security by replacing your passwords, proceed with caution.  Ditch the hype and head nodding that is out there, let it be known here and now that this will never replace passwords.  Ever.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU