I've often wondered why Apple won't allow you to enter a 4 digit PIN with your touch ID. I would think that two-factor is better than just a thumbprint.
While two factor auth is probably overkill for just unlocking a device to many people, I would like to at least have the option.
One of my concerns is that if your device is ever taken by an organization that has the ability to command your fingerprints then they can quite easily unlock your device negating any encryption.
Also while I think its unlikely right now for criminals to make fake fingerprints in order to steal financial transactions, its a flaw and ApplePay is going to financially motivate those criminals to look into ways to refine the process and make it easier to do.
I would surmise that this is because Apple relies upon the PIN as a failsafe in the event that the Touch ID sensor can't / won't read your fingerprint. Let's say you only have your right thumbprint scanned and you injure it to the extent that it's no longer recognizable to the Touch ID sensor—what then?
Two-factor authentication would need to rely upon a much more reliable criteria than Touch ID.
You could always set up one pin/passcode for two factor auth and then use a separate passphrase as a fallback to unlock the device. It woould be much better security that way.
Also while we are on the subject using a short pincode to unlock the device is asking for trouble. While the device ID is tied to the decryption and there is no way to extract it yet I have no confidence that it will remain that way forever. At which point the ability to crack a short pin off the device means the pin will get cracked in seconds.
Turn your phone off before crossing a border. Put the wrong finger on the sensor five times in quick succession when you are asked to hand over your phone and you don't get a chance to turn it off.
In both cases, the phone will require a passphrase for unlocking (if you configure one as opposed to just a simple code, of course).
Having a really long passphrase and the ability to very quickly render the fingerprint reader useless is a huge improvement in security over previous touchid-less phones.
Having to both type a code and using my fingerprint (in that case, in addition to a very long passphrase, which would be difficult to explain to users how that works) would be very annoying, at least for me.
Pin, not a passphrase. Just switching to a 4 digit pin would be heaven for me (I have an iPhone 5) - I would have zero problem entering touchID + a 4 digit pin.
Even simply disabling "simple passcode" and using an equivalently simple alphanumeric passcode makes the task a lot more difficult for the brute-force cracker.
In fact, if you look at one of the cracking tools that law enforcement is known to use [1], iOS8 looks to have made things more difficult:
"iOS 8
Currently under version 4.0 Advanced logical extraction will extract less data compare to previous iOS versions."
I've asked for this repeatedly. (if it's numeric, it doesn't really matter how long it is, IMO -- I can do an 8+-digit PIN pretty fast)
The nice thing is iOS 8 seems to encourage people to use alphanumeric passcodes by default. This is a big change. I guess they're pushing people to touchid primary, complex passphrase backup, vs. making touchid or numeric passcode the same.
A skilled person or organization yes. Obtaining the latent prints probably isn't the hard part, I imagine stealing someones trash would be enough for that.
The tricky part is making a clone accurate and detailed enough that it works in less than 6 attempts.
Because people are going to turn it on without thinking, forget their passcode, and get locked out of all their personal information without any recourse. Given Apple's size, they have to target the majority, not the tech-savvy minority. I really think it's as simple as that.
EDIT: Oops, that's not right — the PIN by itself (or in conjunction with TouchID) still has that property. I meant it the other way around: Apple probably wants to make sure that the TouchID sensor is reliable enough to never lock people out, because if even one person has that problem, they won't be able to recover their data. Right now, the PIN is a failsafe; with TouchID/PIN, if TouchID fails, there isn't one.
Then you have a recovery password based on "enter your iTunes password" or a device password. Or, worst case, erase the device and restore from iCloud backup, but iTunes password as backup seems more than adequate.
The objective should be PIN+fpr for routine use, and a longer password when that doesn't work (or on system boot). I'd be fine with PIN || fpr sometimes when it's even lower risk (e.g. when connected to your home wifi).
The details are completely the same as the last time the author hacked TouchID on the 5S [1]. From that article:
"Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original."
The most interesting thing about the new article is learning that the iPhone6 TouchID sensor is more accurate and scans a bigger part of your finger. That's good to hear.
I can only agree with the author that TouchID is mostly "good enough" security, but it'd be really great to have "enterprise-class" security by simply allowing 2-factor auth including TouchID + passcode.
I may be a bit naive but I don't see Apple being able to reconstruct your physical fingerprint from their store info in the security enclave - I see it more of a one-way function and if it never leaves the device, then it seems safe to be collected.
iOS defaults to asking for TouchID and passcode if more than 48 hours have elapsed since you last interacted with the phone, or if the phone has been power cycled.
There's a certain point at which asking for TouchID and passcode too often will encourage people to use less secure pass codes, which defeats the point of having 2-factor authentication in the first place.
At least until the myriad of iPhone data extraction tools being sold to the police finds a way to extract that, too. This one is apparently already compatible with iOS8:
And from what I've noticed Apple is pretty quite about fixing vulnerabilities that these kind of tools used (i.e. the kind of vulnerabilities that need your phone to work - which is exactly the kind of power say someone like the police has).
Completely agree and was going to make this same point. The PIN system is a lot easier to "hack" considering that all numerical layouts are the same and all PIN's are four-digits. Thus you only have to see the area in which they are touching the screen to get something close if not exactly accurate to the correct PIN.
Same goes for the Android swipe pattern system except that if you turn off the pattern display it is much more difficult to detect since length and pattern can vary. However, on two separate occasions people have noted to me that they "now know my pattern" despite my being fairly fast and subtle with how I entered it.
All things considered, I think finger prints are much more secure for most people.
It still defaulted to a simple PIN on my iOS 8 devices (including a new iPhone 6). But yes, it is of course possible to change the setting to allow a more complex password.
You've always (or at least back to the iphone 3gs) been able to choose to use a more complex PIN.
Personally I wish the pattern-based lock screen was more dynamic. Like if it rotated while you entered and had a random starting position, it'd make it much harder to read either real-time or through smudges. And it'd be more fun to boot.
> "Sadly there has been little in the way of measurable improvement in the sensor between these two devices."
Oh, gosh. That stinks.
> "Another sign that the sensor may have improved is the fact that slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just “lift your fingerprint” from the phone’s glossy surface and unlock the device."
Wait, so that isn't a measurable improvement?
iOS 8 still requires your passcode after a reboot, so you can certainly force a temporary timeout if you'd like.
I think some advanced timeout stuff could be useful, but I wish we could try and have a bit more optimism that regular people now are excited about having an encrypted phone. The rest of us carrying state secrets and nude selfies can certainly still trade off that convenience for potentially more secure phone.
If you ask me, it's really a shame (security-wise), BUT having a kind-of-secure TouchID is WAY better, than having absolutely no security (i assume that people that didn't use any passcode now use touchid).
We (and Apple) need to educate people, that it's not the perfect and completely secure solution.
First two sentences of this article: Last year, when the iPhone 5S was released, I showed how you could hack its fancy new TouchID fingerprint sensor. A year and one iPhone 6 later, I’ve done it again. Obviously neither of those links mention the iPhone 6, which is the whole point of this article.
This is neat, but movie-plot threat territory. Far more dangerous to actual security on iPhones is that airplane mode can be enabled from the lock-screen "Control Center" by default.
This basically means if somebody wants to steal your iPhone, the first thing they're gonna do is swipe up, turn on Airplane mode, and lock you out of using Find my iPhone to find or lock it. They can wait until they get to a chop shop or anything else, by which point they'll have their money, meaning that they'll still be incentivized to steal iPhones.
You can disable this 'feature' (control center from the lockscreen) in Settings, and I think we should spend way more time advertising that than worrying about whether it is possible for someone working in a lab to use latent prints to unlock your phone. In the time it's going to take them to do that, hopefully you can get somewhere to lock the phone online - but if the villain disables your ability to remotely brick the device, that's way more worrisome to me.
This won't affect activation lock though, and any value the phone has beyond an activatable device would be for parts (meaning it wouldn't matter if you can brick it).
46 comments
[ 3.0 ms ] story [ 94.9 ms ] threadWhile two factor auth is probably overkill for just unlocking a device to many people, I would like to at least have the option.
One of my concerns is that if your device is ever taken by an organization that has the ability to command your fingerprints then they can quite easily unlock your device negating any encryption.
Also while I think its unlikely right now for criminals to make fake fingerprints in order to steal financial transactions, its a flaw and ApplePay is going to financially motivate those criminals to look into ways to refine the process and make it easier to do.
Two-factor authentication would need to rely upon a much more reliable criteria than Touch ID.
Also while we are on the subject using a short pincode to unlock the device is asking for trouble. While the device ID is tied to the decryption and there is no way to extract it yet I have no confidence that it will remain that way forever. At which point the ability to crack a short pin off the device means the pin will get cracked in seconds.
In both cases, the phone will require a passphrase for unlocking (if you configure one as opposed to just a simple code, of course).
Having a really long passphrase and the ability to very quickly render the fingerprint reader useless is a huge improvement in security over previous touchid-less phones.
Having to both type a code and using my fingerprint (in that case, in addition to a very long passphrase, which would be difficult to explain to users how that works) would be very annoying, at least for me.
In fact, if you look at one of the cracking tools that law enforcement is known to use [1], iOS8 looks to have made things more difficult:
"iOS 8
Currently under version 4.0 Advanced logical extraction will extract less data compare to previous iOS versions."
[1] http://releases.cellebrite.com/releases/ufed-release-notes-4...
Short period of time - touchid to unlock. Medium period of time (adjustable) - touchID+Pin Long period of time - (adjustable) - passcode
Different people could set the values as appropriate. For me, it would be < 5 minutes touch ID, < 1 hours touchID+Pin, > 1 hours passcode.
The nice thing is iOS 8 seems to encourage people to use alphanumeric passcodes by default. This is a big change. I guess they're pushing people to touchid primary, complex passphrase backup, vs. making touchid or numeric passcode the same.
I agree that its only likely as a targeted attack though. This isn't the sort of thing you will see street criminals doing.
A skilled person or organization yes. Obtaining the latent prints probably isn't the hard part, I imagine stealing someones trash would be enough for that.
The tricky part is making a clone accurate and detailed enough that it works in less than 6 attempts.
EDIT: Oops, that's not right — the PIN by itself (or in conjunction with TouchID) still has that property. I meant it the other way around: Apple probably wants to make sure that the TouchID sensor is reliable enough to never lock people out, because if even one person has that problem, they won't be able to recover their data. Right now, the PIN is a failsafe; with TouchID/PIN, if TouchID fails, there isn't one.
The objective should be PIN+fpr for routine use, and a longer password when that doesn't work (or on system boot). I'd be fine with PIN || fpr sometimes when it's even lower risk (e.g. when connected to your home wifi).
"Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original."
The most interesting thing about the new article is learning that the iPhone6 TouchID sensor is more accurate and scans a bigger part of your finger. That's good to hear.
I can only agree with the author that TouchID is mostly "good enough" security, but it'd be really great to have "enterprise-class" security by simply allowing 2-factor auth including TouchID + passcode.
I may be a bit naive but I don't see Apple being able to reconstruct your physical fingerprint from their store info in the security enclave - I see it more of a one-way function and if it never leaves the device, then it seems safe to be collected.
[1] https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples...
There's a certain point at which asking for TouchID and passcode too often will encourage people to use less secure pass codes, which defeats the point of having 2-factor authentication in the first place.
At least until the myriad of iPhone data extraction tools being sold to the police finds a way to extract that, too. This one is apparently already compatible with iOS8:
http://www.accessdata.com/solutions/digital-forensics/mobile...
And from what I've noticed Apple is pretty quite about fixing vulnerabilities that these kind of tools used (i.e. the kind of vulnerabilities that need your phone to work - which is exactly the kind of power say someone like the police has).
How secure is secure enough? The weak spot is, and always will be, the human aspect.
Same goes for the Android swipe pattern system except that if you turn off the pattern display it is much more difficult to detect since length and pattern can vary. However, on two separate occasions people have noted to me that they "now know my pattern" despite my being fairly fast and subtle with how I entered it.
All things considered, I think finger prints are much more secure for most people.
You've always (or at least back to the iphone 3gs) been able to choose to use a more complex PIN.
Personally I wish the pattern-based lock screen was more dynamic. Like if it rotated while you entered and had a random starting position, it'd make it much harder to read either real-time or through smudges. And it'd be more fun to boot.
Oh, gosh. That stinks.
> "Another sign that the sensor may have improved is the fact that slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just “lift your fingerprint” from the phone’s glossy surface and unlock the device."
Wait, so that isn't a measurable improvement?
iOS 8 still requires your passcode after a reboot, so you can certainly force a temporary timeout if you'd like.
I think some advanced timeout stuff could be useful, but I wish we could try and have a bit more optimism that regular people now are excited about having an encrypted phone. The rest of us carrying state secrets and nude selfies can certainly still trade off that convenience for potentially more secure phone.
[1]http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
[2]http://www.heise.de/newsticker/meldung/Fingerabdrucksensor-d... (german)
If you ask me, it's really a shame (security-wise), BUT having a kind-of-secure TouchID is WAY better, than having absolutely no security (i assume that people that didn't use any passcode now use touchid).
We (and Apple) need to educate people, that it's not the perfect and completely secure solution.
They won the prize in the end but honestly that wasn't the point to why I did it and the guys at CCC are friends of mine.
This basically means if somebody wants to steal your iPhone, the first thing they're gonna do is swipe up, turn on Airplane mode, and lock you out of using Find my iPhone to find or lock it. They can wait until they get to a chop shop or anything else, by which point they'll have their money, meaning that they'll still be incentivized to steal iPhones.
You can disable this 'feature' (control center from the lockscreen) in Settings, and I think we should spend way more time advertising that than worrying about whether it is possible for someone working in a lab to use latent prints to unlock your phone. In the time it's going to take them to do that, hopefully you can get somewhere to lock the phone online - but if the villain disables your ability to remotely brick the device, that's way more worrisome to me.