Originally Posted by mknopp
I actually think that a combination of iris scanner and fingerprint scanning is what smartphones need, so I am looking forward to seeing this come to smartphones, if for no other reason than it will hopefully kick Apple in the rear to implementing it on their iPhones.
Yes, iris scans are not as convenient as fingerprint scans, but they are also more secure. People leave their fingerprints all over the place when they touch things. Heck, they leave their fingerprints on the very device that they are trying to secure. The iris doesn't leave anything behind when it looks at something.
A combination is perfect because touchID is quick and easy and doesn't require you to look at your device. However, it isn't as secure as an iris scan. For that reason, I could see a touchID used to unlock your device and a quick iris scan to perform an payment or something requiring something more secure than using a fingerprint left everywhere you touch.
Yes, we do leave our fingerprints all over the place but you don't have to use the underside tips of your fingers. A knuckle on the finger works just as well. If you really care about security and don't mind an ever so slightly unnatural usage to unlock your device you can use a part of your skin that you aren't leaving around.
That said, this really isn't an issue for a multitude of reasons that range from a thief stealing your device is likely a crime of opportunity to Apple's use of TouchID is to get those that didn't have pass codes set before to finally using them without being too inconvenienced by the security. Apple wasn't trying to design a Leviathan
series bank vault with the Malbolge programming language. For those that do care about security more than the average person you can change your 4 digit PIN to a proper, alphanumeric password, which is what I did.
There is also an issue with blanket statements that iris scans are more secure than fingerprints. It can't be stated in such simple terms. For instance, AuthenTec doesn't just read a fingerprint
but also reads the dermis which isn't left anywhere. So how was TouchID technically broken in an ideal environment? That is probably down to how in-depth the authentication Apple was willing to make to obtain a given security level. Apple states TouchID is 5x more secure it than a 4-digit PIN, plus after a few bad tries the system then forces you to use your passcode to access the system and re-enable TouchID.
Another way of looking at it is if I were to say that Samsung requires a 10-digit PIN for their phones. Is that more secure than a 4-digit PIN? Most would say yes, but what if I then told you that only 2 of the numbers have to be correct for it to authenticate you. With biometrics that's what we're dealing with and the more exacting the match the more processing it has to do.
IOW, how sensitive will an Iris scanner have to be to read your iris while in your hand 18" away from your face in a natural position which is also a pretty severe angle for it to work as well as TouchID? How long will the processing take? You already mentioned Samsung will have trouble with the secure HW enclave, but what about processing this data so that it's even close to being as fast as TouchID? Security is always at odds with convenience.