With the release of the new iPhone 5S there has been a whole lot of news about the Touch ID Fingerprint reader. In particular some security experts are warning that this may result in an increase in violent crime as thieves remove the rightful owners fingers, along with their phones. Other people have been questioning the potential for exploitation of “the worlds largest database of fingerprints”.
Whilst I can’t comment on the likelihood of people resorting to removing fingers, or even if the fingerprints ever make it off your phone I see a different issue with this which I can demonstrate with a simple comparison. Although comparing phone security to the way we log in to a PC might not be entirely fair – when we log into a PC we enter our user ID and our password. Our user ID identifies who we are and our password provides security. We are advised to pick passwords that are hard to crack, whilst also being advised that we shouldn’t write our password down less it fall into the wrong hands. If our password is compromised we can change it to something different.
Let’s compare this to the fingerprint system. The most logical link between the two models would be that the fingerprint takes the place of the user ID. My fingerprint is unique to me and could be used to identify me as Simon Grey. However in the iPhone the fingerprint unlocks the phone, taking the role of both the user ID and the password. So with conventional passwords we are advised not to write our password down. How often in a day do you suppose you leave you fingerprint behind, for someone else to find? Additionally, where is one place where fingerprints seem to turn up most?
Additionally, if our fingerprint is comprised, how many times can you change it, well potentially ten if you switch fingers, and at best twenty if you use your toes too!
Yes, ok, I’m poking devils advocate a bit. Using a fingerprint may be harder to replicate that existing patterns or a pin code, and most iPhones won’t contain secrets that are a matter of national security, but I think that there is an important distinction to be made between identity and security.