Sophos Cloud Optix
The internet is abuzz with whispers that Apple’s iPhone 5, rumored to be launched this week, will come with a fingerprint scanner to secure the device. If true, this could be a big step forward in Apple’s quest to make the iPhone a digital wallet.
Here’s what we know: Apple will release the iPhone 5 on Wednesday, September 12 at a company-sponsored event. Actually, we don’t know that. What we do know is that the company has sent out invitations to members of the media for an event in San Francisco dated September 12 that is widely expected to be the launch of the phone.
As for the rumors about a biometric fingerprint scanner as one of the new features of the iPhone 5 – they’re mainly informed speculation, based on an announcement in late July from security device maker AuthenTec Inc.
AuthenTec had entered into an agreement that had Apple buying it for $8.00 a share, or around $356 million in cash.
AuthenTec, you might recall, makes a wide range of security technology for mobile devices and corporate networks. (Actually, Naked Security wrote just last week about a dire security warning from the Russian firm Elcomsoft, which accused AuthenTec of storing Windows passwords insecurely in management software that is installed with the UPEK scanners. AuthenTec vigorously denied the allegation, and Elcomsoft, to date, hasn’t produced any proof to back up their claims.)
Whatever the case, stories like these are likely to get more airplay if AuthenTec becomes the official security hardware provider for Apple, following the Florida-based company’s shareholders’ vote to approve the acquisition at a meeting set for October 4.
As for the scanner itself, it would most likely be AuthenTec’s AES2750 ‘made for mobile commerce’ smart sensor. That’s a 192×8 pixel fingerprint sensor array with support for AES256, and RSA2048 encryption, SHA-2HMAC hashing and DSA160 signing, among other security features. It can do on-chip encryption of fingerprint scans and corresponding user credentials and can be mounted either on the edge of a device or on the back. It supports OAuth for authorization as well as the NFC and OTP protocols.
In terms of looks, AuthenTec has already done deals with handset maker Fujitsu, whose REGZA T-01D phone comes outfitted with AuthenTec’s AES1750 Smart Sensor fingerprint scanners.
You can’t get them outside of Japan, though, where they’re offered by NTT Docomo, but check out this (Japanese language) promotional video, which shows how the scanner looks and works on the REGZA phone. (The bit about using the SmartSensor scanner comes at the 1:27 mark)
There’s also a home-baked version of the same demo here – if you can stand the elevator music playing in the background, the demo of the finger scanner comes at around 4:25 mark.
Of course, there’s no guarantee that AuthenTec’s scanner will make it into the iPhone 5. However, Apple’s acquisition of the company almost certainly means that the biometric devices are coming to iPhones, iPads and Macbooks at some point in the near future – if not on September 12.
What does this mean for security on mobile devices? We actually have a pretty good idea based on a long running trial called “the mobile pc market.” After all, fingerprint scanners have been available for laptops for many years.
The thing is, most consumers consider them an expensive and unnecessary add-on, and rarely use them when they come as standard. In fact, their use has been limited to security-conscious corporations and governments.
Coupling a biometric scanner to a mega-popular device like the iPhone would be – hands down – the biggest and highest profile consumer biometric deployment the world has ever seen, but that doesn’t mean the technology would be widely adopted.
Without a doubt, biometric scanners with encrypted finger scan and passwords would harden the devices against tampering and make them somewhat less attractive to thieves, though it’s unclear if wiping a device would circumvent the biometric protection. If so, the sensors are good for data protection, but might do little to stem the tide of iPhone-focused crime.
My bet is that, for Apple, having a biometric scanner is much more about boosting iPhone’s capabilities as a mobile wallet than it is about device security.
Mobile payments is on its way to becoming a huge market, and a revolution in commerce. But, thus far, Apple has kept a low profile on the issue. It still hasn’t indicated whether iPhone 5 will be NFC (Near Field Communications), with some iPhone watchers suggesting it won’t.
You can’t blame the company for keeping its powder dry: the market is fragmented among competing technology platforms (Google, PayPal, Visa, MasterCard), handset makers, carriers and payments firms and retailers.
Want to guess who currently heads up the biggest retail mobile payments platform in the U.S.? Visa? MasterCard? eBay/PayPal? Square? Nope. It’s apparently Starbucks. Yes, _that_ Starbucks. You can hardly blame Apple for wanting to remain above the fray.
AuthenTec may just be a piece in a longer term plan to put its weight behind a secure and non-refutable mobile payments technology that couples biometrics with best-of-breed mobile wallet technology, whether that be Google Wallet or an alternative of its own making.
But will iPhone users actually take advantage of the tougher sign-on security? I think that, when you watch this guy fiddling with the feature on his new Fujitsu phone, you’ve really got to wonder.
Phones are bright and sexy and filled with cool features, no wonder this guy spends about three times as much effort choosing his wallpaper scheme than in vetting the fingerprint scanner that secures the device.
In short: if iPhone users need to swipe their finger to complete a purchase, they most certainly will – and they may even appreciate the extra security. But it’s doubtful that the presence – or absence – of a finger scanner will make one bit of difference in the iPhone 5’s sales figures when it comes out later this month.
fingerprint and phone images courtesy of shutterstock.
Yesterday, german based Heise Security wrote an article where AuthenTec acknowledged the problem with their UPEK Protector Suite.
I think it is fairly likely that the new iPhone will have a fingerprint reader, because including one makes good security theatre, and would help security for users who currently don't bother with lock codes at all because they are too lazy.
However, I don't think fingerprint recognition is the best way to use biometric to identify the user. I would be better to modify the camera so that it can be used for Iris recognition.
I think fingerprints are poor for security because we leave samples of our fingerprints everywhere, and it is not particularly difficult to lift and copy them. A stolen iPhone 5 will likely have the fingerprint needed to unlock it on it in several places, so I could imagine that in the future iPhone thieves will simply put it in a plastic bag and take it to a a crooked forensic specialist who will lift a print and use it to unlock the phone so that it can be fenced in the normal way.
Also fingerprints are just not that reliable. According to google, the equal error rate on fingerprint biometrics is about 9,000 to 1. (for Iris codes it is better than 1 million to 1). If apple tune the recognition algorithm to minimise the false reject rate and keep their customers happy, even when they have dirty fingers, the reject rate will be even lower so making it even easier to fool with a copy of a print.
Still, I don't expect Apple to consider rational fact based arguments when they are considering a feature that no one else has to add to their new shiny.
192 x 8 ? I assume that's a typo.
Nope – those are the dimensions of the fingerprint sensor array that Authentec claims in its literature.
What is a non-biometric fingerprint scanner?
the were problems with cars that employed fingerprint recognition. Crooks were highjacking the car and chopping off the owners finger as well.
Will this lead to a generation of fingerless Ipad users?
people, you are nuts if you use this, it's gonna send the fingerprints over the internet and you know this
Best technology invention.Thanks for sharing.
Hey, they should make fingerprint scanners mandatory in all mobile devices and have the fingerprints silently uploaded to a central database. Governments could even make money out of this by selling the info to private security firms, employers who want to certify the identity of a prospective hire, etc…
I'm not familiar with this application on iPhone 5 but I think this could be good to use for investigation and science projects but it is possible to scan the exact finger prints?
What is a non-biometric fingerprint scanner