Touch ID and the Threat of Fingerprint Cloning

Since Apple first introduced Touch ID for fingerprint scanning and biometrics, and now that it has introduced iOS8 with an API that allows developers to integrate fingerprint biometrics with mobile apps, there have been many discussions about the security of Touch ID and whether it can be exploited.

Without a doubt, there will be criminals who attempt to exploit Touch ID in the interest of compromising iOS devices and stealing sensitive user data. However, in order to compromise Touch ID, a criminal would need access to a user’s iOS device and also to the user’s unique fingerprint in order to successfully scan it.

Unfortunately, techniques for successfully cloning fingerprints and bypassing biometric security have already been in place for many years. Chaos Computer Club, an open information advocacy group, highlighted this when it posted simple instructions for copying and faking fingerprints in 2004, nearly a full decade before Touch ID was first introduced.

Why Touch ID Can Still Boost Security Despite Fingerprint Risks

Nonetheless, Touch ID is still a potentially revolutionary tool to help boost data security and prevent cybercrime. In fact, for iOS users, it may dramatically increase the level of security and discourage device theft.

As security blogger Bruce Schneier has pointed out, “Apple is trying to balance security with convenience,” and it is “offering an option to replace a four-digit PIN – something that a lot of iPhone users don’t even bother with – with a fingerprint.”

Indeed, at an Apple press event in 2013, marketing chief Phil Schiller reported that about half of smartphone users do not use a passcode to secure their devices. Thus, Touch ID was conceived as a means to encourage greater security by offering a convenient, biometric method that consumers might be more inclined to use.

This also led to speculation about the potential for Touch ID to be integrated for logins and identify verification for online banking, online payments, and enterprise security, and that speculation has become reality with the introduction of the Touch ID API.

Apple already offers Touch ID as an added layer of security for Apple AppStore purchases, and the new Touch ID API now allows developers to start integrating the same security for their own apps and website logins.

How Current Touch ID Integrations Continue to Create Vulnerabilities

While Touch ID is more convenient than passcodes for consumers and it potentially has many great applications for data security, using it to protect user logins is not truly safe and effective if it is combined with traditional ID and password credentials.

We can consider Apple’s AppStore app as an example. When a user logs in, despite Touch ID verification, the user’s ID and password are still transmitted via the Internet between the iOS device and the server. The same sensitive information is also stored on the server in order to verify the password-based login.

Unfortunately, this means that Touch ID logins, including those used by Apple, are potentially unsafe and highly vulnerable. Cybercriminals can intercept or steal the required user credentials in transit via keyloggers, man-in-the-middle attacks, or any number of other malware threats.

The use of traditional password-based logins also provides ample opportunities for phishing schemes to target unsuspecting users and steal their credentials through fake emails and websites. And, ultimately, all of these attacks are aimed at using stolen credentials to compromise servers and steal entire databases of user data.

Thus, even if a service gains additional protection from Touch ID, if it still uses traditional user credentials, those credentials can be stolen and used to access other services wherever Touch ID is not integrated. And, if a user’s fingerprint can be successfully copied and cloned, then Touch ID may not offer any added protection at all for the original service.

How Touch ID Can Be Integrated to Eliminate Vulnerabilities and Ensure True Login Security

Thankfully, there is a way to integrate the Touch ID API for login security that avoids these vulnerabilities and makes it physically impossible for criminals to steal user credentials.

First, using public key infrastructure (PKI) and two-factor authentication with Touch ID, developers can eliminate passwords and other sensitive credentials from the login process.

With this approach, a user login can be provided through a mobile app or website, but only a non-confidential user ID is used to initiate the login. No password is entered, and no sensitive credentials are transmitted during the login or stored on a server.

Instead, a pair of asymmetric encrypted keys is used in place of credentials. A public key is encrypted and stored on the authentication server, and a private key is encrypted and stored on the user’s mobile device for authentication.

When the user initiates the login, the authentication server sends a challenge to the user through a mobile app. This challenge must be digitally signed by the private key in order to authenticate. To authenticate, the user can use Touch ID to verify identity and rightful ownership of the private key on the device.

Secondly, for added protection, the Touch ID fingerprint can optionally be combined with an additional 4-digit PIN or passcode to verify access to the private key, meaning that criminals cannot authenticate without knowing the PIN or passcode, even if they can manage to clone or copy a user’s fingerprint and steal the user’s mobile device.

So, for the sake of convenience, Apple and other developers may be willing to use Touch ID as the only additional layer of security for logins and device access, but developers who want to achieve true security can enable this additional protection to ensure that attackers are never able to compromise user accounts.

With PKI authentication, Touch ID is used only to verify identity and access to the private key. It does not directly provide authentication. And no sensitive credentials are transmitted or stored, meaning that there is no sensitive information for attackers to target, and there is physically nothing for attackers to steal in transit or from a server.

Using this innovative approach, a developer can rightfully claim that Touch ID is truly safe.