Apple’s latest iteration of the iPhone (the iPhone 5S) went on sale last Friday. The phone contains a new feature called Touch ID, which allows iPhone owners to unlock and purchase content from Apple’s online store using a fingerprint reader housed in the iPhone’s home button. As expected, Apple’s use of biometric authentication has raised a number of security and privacy concerns among the public. For example, Senator Al Franken sent a letter to Apple stating that “important questions remain about how this technology works, Apple’s future plans for this technology, and the legal protections that Apple will afford it.” Senator Franken observed:
Passwords are (at least theoretically) secret and dynamic; fingerprints are public and permanent. If you don’t tell anyone your password, no one will know what it is and it should be difficult to guess. If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints. You have only ten of them. And you leave them on everything you touch; they are definitely not secret.
Apple has taken considerable technological measures to ensure that its users’ biometric information is secure. Fingerprint data is encrypted and stored in a segregated section of the iPhone’s processor, called a Secure Enclave. When a user presses his/her finger to the sensor, the Secure Enclave authenticates the fingerprint and passes along a simple “yes” or “no” to the rest of the processor. In this way, neither the operating system nor any of the applications have access to fingerprint data. This is not to say, however, that Touch ID is immune to security breaches. A group in Germany already has demonstrated how to bypass Touch ID using an image of the user’s fingerprint, a high resolution laser printer, and a circuit board etching kit. While the group describes the process as “straightforward and trivial,” others note that “[t]his is something that requires a considerable amount of time, effort, skill and equipment.”