Open in app

Sign in

Write

Sign in

Thoughts on Touch ID

Jason Meller
8 min readOct 30, 2016

--

On October 26th, Apple revealed its new line of Macbook Pros in keynote from their Cupertino headquarters. Of the many controversial features announced, the Touch Bar, a multi-touch screen that replaces the first row of the keyboard (reserved for function keys since the mid 1960s) has drawn significant attention and criticism.

Apple also announced that this Touch Bar includes a Touch ID sensor and several hardware elements (including a secure enclave and an ARM based chip called the T1) that enable this sensor to function securely.

Confirming a payment with the recently announced Touch ID on a Macbook Pro. Like the iPhone, you can use Touch ID to login to your Mac. Image courtesy of Apple, Inc.

As someone who thinks about authentication and security UX a lot, this is one of the most exciting developments from the announcement. I shared my excitement with the following tweet:

I tweeted my support for the Touch ID a few days after Apple’s announcement.

I followed-up with this tweet:

What I thought was an uncontroversial position on Touch ID.

After these tweets, a few colleagues reached out to me discussing their concerns around Touch ID. Here are the arguments I’ve encountered so far:

  • Touch ID is bad because law enforcement can forcefully compel users of devices secured with Touch ID to unlock them with their fingerprint, enabling self-incrimination, unlike devices secured with passwords.
  • Touch ID is bad because it is possible for bad actors to easily capture your fingerprints from various sources (photos, doorknobs, drinking glasses, etc).
  • Touch ID is bad because using biometric factors will increase the value of irreplaceable body parts, so criminals will cut off your fingers (or worse steal your whole hand) so they can unlock your phone.
  • Touch ID is bad because someone can take your hand when you are sleeping (or unconscious) and unlock your phone.
  • Touch ID violates the rights and the privacy of the recently deceased. For example, you can take the hand of a corpse and use it to unlock a device against that dead person’s wishes.

I don’t have a perfect rebuttal for all of these arguments, but I wanted to jot down a few thoughts on Apple’s inclusion of Touch ID on the new Macbook Pro. I also want to discuss my thoughts about Touch ID itself, its tradeoffs, and analyze the real and quantifiable impact it has made on the iPhone security ecosystem.

What is Touch ID?

Let me be clear, this post is about the merits of Touch ID as currently implemented by Apple. I have no intention of defending all biometric authentication schemes. Most biometric authentication schemes are implemented poorly and are simply not defensible. As with everything in security, the devil is in the details, and Touch ID gets many of these details right.

When I talk to others about the benefits of Touch ID, I often encounter individuals (many who use the feature regularly) who aren’t aware of important details of how Touch ID works, or even the underlying problems Apple intended to solve with its inclusion.

Apple has a well-written and succinct description of Touch ID in its iOS Security Guide (which I highly recommend reading). Relevant excerpts are included below (emphasis mine):

Touch ID is the fingerprint sensing system that makes secure access to the device faster.

…Touch ID makes using a longer, more complex passcode far more practical because users won’t have to enter it as frequently. Touch ID also overcomes the inconvenience of a passcode-based lock, not by replacing it but by securely providing access to the device within thoughtful boundaries and time constraints.

These “thoughtful boundaries and time constraints” are later enumerated by Apple, as follows:

The passcode can always be used instead of Touch ID, and it’s still required under the following circumstances:

* The device has just been turned on or restarted.

* The device has not been unlocked for more than 48 hours.

* The passcode has not been used to unlock the device in the last six days and Touch ID has not unlocked the device in the last eight hours.

* The device has received a remote lock command.

* After five unsuccessful attempts to match a fingerprint.

* When setting up or enrolling new fingers with Touch ID.

While this seems like minutia or pedantry to some, these implementation details mitigate many of the classic risks associated around the usage of biometric factors for authentication.

The Impact Touch ID On Device Security & Law Enforcement

In early Spring of 2016, the FBI, as part of their investigation in the high-profile, San Bernardino, Calif. terrorism case, attempted to compel Apple to subvert the security of an iPhone 5c belonging to the primary suspect, so they could examine the data inside.

Dan Guido, the CEO of cyber security firm Trail of Bits, has a great writeup around this specific case. He ultimately concludes that Apple has the capability to comply with the FBI and subvert the security of any iPhone 5c, and potentially has the capability of disabling the security of more recent devices which feature a hardware secure enclave through the use firmware updates.

Instead of complying, Apple resisted, and ultimately issued a press briefing giving rare insight into details in iOS’ security architecture, including adoption rates of some of its security features.

There were several facts revealed at this briefing relevant to this discussion:

  • The average iPhone user unlocks their phone around 80 times a day.
  • Prior to the introduction of Touch ID, around half of iPhone users did not use a passcode to secure their device.
  • As of April, 2016 nearly 90% of users now use a secure passcode thanks to Touch ID.

So put another way, because Apple sufficiently improved the user experience and overall convenience of using an iPhone with a passcode through Touch ID, they could require the use of passcodes on their device.

The simple truth is that before Touch ID, law enforcement had unfettered access to around half of iPhones they encountered. The argument that law enforcement is now in a better position to access phones because of Touch ID is absolutely ridiculous.

It becomes even more absurd when you look through aforementioned “thoughtful boundaries and time constraints” Apple employs around allowing Touch ID as the sole authentication method. Simply turning off your phone or waiting 48 hours, permanently prevents law enforcement from using any of the Touch ID features and their associated legal loopholes from accessing the device.

As an example, In October 2014, The Virginia Pilot reported on a Circuit Judge ruling that states police officers cannot force criminal suspects to divulge cellphone passwords, but they can force them to unlock the phone with a fingerprint scanner.

While I don’t agree with this ruling and other subsequent court rulings over the last 2 years that further affirm it, let’s assess the real impact of this decision. To do so, we have to look no further than the end of the article:

Neither [The Prosecutors or a a spokeswoman for the Commonwealth’s Attorney’s Office] said they knew whether Baust’s phone can be opened with just a fingerprint. Pridgen said prosecutors are having a detective look into it, and Broccoletti said Baust’s phone could be encrypted twice — with both a fingerprint and a pass code. If so, it would remain locked under Frucci’s ruling.

Since we know how Touch ID works, we can say definitively that Baust has a passcode, and since more than 48 hours have likely passed since the phone was confiscated (assuming Baust didn’t simply turn it off), detectives have no method to obtain access to Baust’s phone.

Ultimately, I hope for a future where compelling people to unlock devices is ruled unconstitutional. Until then, the real impact of these loopholes on Touch ID is very low and ultimately Touch ID makes it harder for law enforcement to peer into the private lives of citizens.

Binders Full Of Fingerprints

Let’s visit the argument around the ease in which an actor can obtain your fingerprint and subvert authentication schemes that use this method.

Marc Rogers, a security researcher has several great write-ups on capturing and fabricating copies of fingerprints that can fool Touch ID. His most recent write-up where he successfully compromises an iPhone 6, concludes with the following:

Just like its predecessor — the iPhone 5s — the iPhone 6’s TouchID sensor can be hacked. However, the sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual. I’ll reiterate my analogy from my last blog on TouchID: We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats.

I love this analogy. Many critics of Touch ID believe that simply proving that it can be hacked means that its inclusion reduces the security of the device. In reality, the cost, risk, and sophistication required of stealing a fingerprint usually exceeds the cost required to obtain a passcode.

If I am an attacker who understands iPhone security, I know obtaining a correct iPhone passcode provides me with permanent and guaranteed access to the iPhone. Alternatively, there is zero guarantee that a fingerprint will result in any access due to the “thoughtful boundaries and time constraints” Apple considers when allowing Touch ID to be the sole factor needed to unlock the device.

If I am a thief stealing your phone, I have to get your passcode, your fingerprint is irrelevant. Touch ID doesn’t even factor in.

The specific implementation of Touch ID devalues fingerprints. While it may be possible to obtain fingerprints from high-resolution photos, their value in terms of accessing devices secured with Touch ID is low.

Why Bring Touch ID to Macs?

Apple has yet to ship any of the Macbooks containing the Touch ID sensor, so while we don’t know all of the details of the implementation, we can make some educated guesses and logical conclusions on why bringing Touch ID to the Mac ecosystem is a good idea.

Because of the convenience of using Touch ID, I believe Macbook Pro users are more likely to…

  • Require a password or a fingerprint when the screen locks
  • Set a more complex password (since they won’t suffer from as much inconvenience from having to need to type it in every time)
  • Use two-factor or three-factor authentication schemes in Apple and third party apps (assuming Apple makes this available to app developers and even websites through a secure API)

Just like with the iPhone, because Touch ID lowers the level of frustration for an end-user, Apple can start requiring passwords in situations where most users would be severely frustrated before Touch ID existed. For example, with Touch ID Apple could enforce password protection upon sleep (or when users press cmd + ctrl + eject/power) instead of it being opt-in.

Conclusions

Like passwords and tokens, Touch ID isn’t perfect, but if you look at the facts coupled with other security features Apple has introduced, it has objectively made iOS devices more likely to withstand scrutiny from law enforcement and make the device less valuable for thieves.

All of these benefits come with minimal drawbacks to the security and privacy of an individual user and their fingerprints.

It’s a no brainer to bring this authentication scheme to Macs and macOS. As a person who builds software and cares about security, I am excited by the positive impact this feature will bring to my world.

Apple
Security
Touch Id
MacBook Pro
Touch Bar

--

--

Jason Meller

Written by Jason Meller

135 Followers

Founder & CEO of Kolide. Business-focused security entrepreneur w/ passion for building apps that empower incident responders. Former Chief Strategist @Fireeye

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams