The marquee feature of the iPhone 5S - the one everybody is talking about - is the new Touch ID fingerprint scanner.
Following last night’s iPhone 5S announcement we’ve had some time with the iPhone 5S, and time to explore some of its features. Apple fans also have a lot of Touch ID questions, such as ‘how does Touch ID work?’ and ‘How secure is Apple’s new fingerprint scanner?’
In the wake of the recent NSA scandal these aren’t questions to be taken lightly. So we’ve put together this guide to using Touch ID on the iPhone 5S.
How does the iPhone 5S finger scanner work
In it’s simplest form you touch your finger to the Home Button and it unlocks the phone. This replaces the current security measure of using a four-digit PIN number or password to unlock the iPhone.
From our iPhone 5S hands-on testing we’ve seen that it’s easy to configure Touch ID, and you can store up to five different fingers.
Once Touch ID is configured, you unlock the iPhone 5S by placing a finger on the Home Button. After a few seconds the iPhone 5S will unlock. Ashleigh Allsopp, Macworld’s hands-on tester said “it made us feel a bit like we were in the future”.
If Touch ID does not recognise your finger it’ll give up after a couple of tries and flip over to reveal the passcode. You can use this to unlock the phone instead.
How does Touch ID work?
Touch ID takes a high resolution (550PPI) picture of the sub-epidermal layers of your skin (your fingerprints) and then compares it to the fingerprint it has on file for you. In essence Apple has turned the Home Button into a very high resolution camera.
You use the sensor to unlock your iPhone, and you can also use it to authorise purchases from iTunes Store, the App Store and the Apple BookStore. Rather than enter your four digit PIN code you simply touch your finger to the Home Button instead.
The Touch ID sensor consists of a sapphire crystal lens. Apple described this as “one of the clearest and hardest materials available.” This acts as the lens and home button. This is surrounded by a steel ring that detects your finger, and these are above the sensor itself.
What doesn’t Touch ID do
One major thing that Touch ID doesn’t currently do is unlock anything else on your iPhone. It can’t access iCloud Keychain, which is a key new feature in iOS 7. This seems like rather a big oversight on Apple’s part, although the restraint could be a security measure to see how Touch ID works in the live world.
It can’t be used by third-party apps either, so no other app you have on your phone will be able to access the Touch ID sensor. This strikes us as an eminently sensible move, given that many people would be concerned about apps that scan their fingerprints.
AllThingsD has confirmed with Apple that iOS developers will not be given access to fingerprints or the sensor technology. It’s unclear if that will always be the case, but it’s worth noting that Apple could quite easily never allow any further access to the Touch ID sensor. It’s probably gauging the public reaction.
What devices have Touch ID
For now the only device that has Touch ID is the iPhone 5S, it hasn’t been announced for the iPhone 5C or any other Apple device. It seems likely that Apple will roll the technology out to other Apple products eventually, especially the iPod touch (which shares its feature set with the iPhone). It may also come to the iPad, although it’ll be interesting to see how Touch ID handles the different orientations that the iPad can be held in when unlocking compared to the iPhone. Whether it eventually makes it to the Mac is another thing; maybe Apple will see how it goes on the iPhone.
Why is Touch ID such a big deal?
It’s an interesting move from Apple, especially given the light of the current security concerns following the NSA scandal. On a practical level though it’s been clear for a while that Apple needs to beef up the security of its devices. While Apple can’t be held responsible for thefts; there’s little doubting that Apple devices remain quite ‘nick-able’, and Apple has been asked by numerous sources (including ourselves) to make life harder for iPhone thieves.
iOS 7 seems more determined than ever to up the number of people using Passcodes (currently estimated to be about half of all iPhone users) and prevents thieves from wiping the device is they do not have access to your Apple ID.
At the same time Apple has to make sure that it doesn’t lessen the iPhone experience by constantly nagging people to enter four digit pin codes. Especially if people didn’t really want to do this in the first place. The Touch ID sensor is a great solution: Apple gets more security on its device and requires nothing more from Apple customers than a touch of the finger.
How private is my fingerprint?
Your fingerprint is stored locally on the device, and should - theoretically - never leave it. Apple has explicitly stated that: "All fingerprint information is encrypted and stored securely inside the Secure Enclave inside the A7 chip on the iPhone 5S: it's never stored on Apple's servers or backed up to iCloud."
So there’s certainly no intention on Apple’s part to create a fingerprint database. Furthermore because the third-party apps cannot access the Touch ID scanner they couldn’t start creating a fingerprint database either. And, because iOS sandboxes apps, they shouldn’t be able to figure out any way to access the Touch ID scanner.
Having said all that when it comes to the NSA you’d have to be pretty confident to bet against them figuring out a way.
“The NSA unveils its brand new fingerprint database” said @zerohedge on Twitter. And “Give your fingerprints to a company that still refuses to describe, on the record, how they provide iOS unlocking assistance to the US gov.” said @csoghoian
This may seem a little hysterical, but as the NY Times put it: the NSA. “has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world,” according to documents from the Snowden archive. Will people really believe that the NSA is incapable of accessing the Touch ID scanner?
Don’t jailbreak if security is important to you
It’s worth noting that the sandboxing of apps from iPhone hardware is circumvented by jailbreaking. If you jailbreak your device you make it much easier for apps to access hardware such as the Touch ID sensor.
Can it be hacked?
Security concerns like the NSA are real, but how big are the security benefits of Touch ID. It’s worth noting that fingerprint hacking techniques have been around for at least 10 years. At a low level it’s possible to recreate a finger using a blob of glue to make a mold, and jelly to create a finger-like blob. We expect MI5 to have something a little more sophisticated, but it’s going to be hard for your average criminal to get hold of your fingerprint and turn it into something useful. It’d certainly deter the average computer hacker sitting behind a terminal.
Having said that if somebody has access to your iPhone, and the right software (Elcomsoft iOS Forensic Tookit review) they’ll get into it: Touch ID or no Touch ID. It still uses the passcode backup system so a brute force guess attack will still work. And you can always use specialist software to extract data from the iPhone.
But the average user isn't really concerned about MI5-level spooks wanting to hack into their iPhone, but how to prevent unauthorised access by other people they know; and as a level of security in case the phone is stolen. On all these fronts Touch ID offers much more security than the Passcode, and makes it much easier to secure and use your phone. In the long-term we think it's a great feature for Apple devices.
See: How to hack an iPad