Home button fingerprint sensor in 'iPhone 5S' would give Apple a new leg up on the competition

12467

Comments

  • Reply 61 of 130
    "Unless every website, every program, every piece of hardware that you use integrates this technology, it's not going to work. For this to completely replace usernames and passwords, there will have to be a lot of up-front work on the user's part and the developer's as well. you're still going to need back-up passwords and usernames for cases where you don't have your phone (like on a PC/Mac) or internet cafe. It's just too complex of a situation."

    You are completely missing the point. It is NOT replacing a username/password (or passcode in the case of the phone lock) as an authentication mechanism. It likely would just automatically input the information, using your fingerprint to confirm your identity. Very similar to the auto-fill feature in modern browsers. It wouldn't require any special integration from websites or application developers.
  • Reply 62 of 130
    blah64blah64 Posts: 993member

    Quote:

    Originally Posted by Yojimbo007 View Post



    1) Fingerprint sensor is cool. I dont see the concern of the first comment posted here.

    2) It can be a local process of authentication on the device... Independent of remote sites.

    3) Plus i feel it will be mainly for authentication of the phone user to get past lock screen... And apps on iphone.

    4) If it ever gets expanded to act as log in authentication for remote sites.. It will just be fantastic.


     


    Numbered above to reply:


     


    1) It may be cool tech, but scary/creepy.


     


    I cannot believe there isn't one single response so far that even considers the fact that having your fingerprints in a mobile device is extremely creepy from a privacy standpoint.  Fingerprints are used to track criminals, not "regular" folks, egads.


     


    2) This is the only thing I've seen in all 61 posts so far that even hints at the biggest problem.  For that, you get props.


     


    Everyone, listen: you, as a user, have virtually zero control or even knowledge of what data goes out to application providers on your mobile device.  With ANY app, period.  Certain bits of data have some minor protections built into the OS, but in general, you should consider almost anything you put into your mobile device to be available to at the very least the authors of the app.  Once your data has reached their servers, you might as well consider it public information.  It may not happen this week or even this year, but data that sits on servers connected to the internet is almost always eventually either sold, misused or pilfered.


     


    I do not want my fingerprints (or faceprint, for that matter) to be tracked and sold by ANYONE, and I can't understand why no one is paying attention to this.


     


    3) This makes some sense.  The problem is in keeping that data local to the device.  I just don't know how it's possible to be assured of that over time.


     


    4) I don't agree.  It would then be a single point of failure for virtually anything and everything you do on your mobile device.  Never a good idea from a security standpoint.  But it seems these days people in their never ending quest to save 3 seconds, ignore security (and privacy) issues.  Very sad.

  • Reply 63 of 130

    Quote:

    Originally Posted by Gazoobee View Post


    I hope this isn't true.  It would make far more sense to integrate it into the screen.  


     


    Especially since they just spent millions buying a company with world-leading technology that does exactly that.  



     


    why not make the home button the same as the screen, much like the glass trackpad? Actually, if they made the home button as a mini trackpad, that would allow swipe gestures also. 

  • Reply 64 of 130
    blah64blah64 Posts: 993member


    Lest anyone think biometrics are "safe".  Read this article at news.com.au:


     


    Theft of Fingerprints Easier than Cutting Off a Finger, Security Experts Warn


     


    Of course there's always the cut off your finger method as well.


     


    People need to stop and think about this:


    - when your password is compromised, you can make a new one in 5 minutes.


    - what do you do when your fingerprint is compromised?  


     


    There's no alternative except returning to passwords, because you can't change your body.  At that point you are back to using passwords AND your fingerprint has been compromised, so you are unequivocally worse off than before.


     


    It doesn't surprise me that many people aren't thinking about this, it does surprise me that it seems almost no one is.

  • Reply 65 of 130
    analogjackanalogjack Posts: 1,073member

    ...could be difficult for competing Android and Windows Phone devices to copy...


     


     


    This is a gratuitously insulting statement. Samsung is one of the most innovative companies on the planet, they have a tried and true strategy already in place. They simply copy it now and work out the detail later in the courtroom.

  • Reply 66 of 130

    Quote:

    Originally Posted by Blah64 View Post


    Lest anyone think biometrics are "safe".  Read this article at news.com.au:


     


    Theft of Fingerprints Easier than Cutting Off a Finger, Security Experts Warn


     


    Of course there's always the cut off your finger method as well.


     


    People need to stop and think about this:


    - when your password is compromised, you can make a new one in 5 minutes.


    - what do you do when your fingerprint is compromised?  


     


    There's no alternative except returning to passwords, because you can't change your body.  At that point you are back to using passwords AND your fingerprint has been compromised, so you are unequivocally worse off than before.


     


    It doesn't surprise me that many people aren't thinking about this, it does surprise me that it seems almost no one is.



     


    Well that was not encouraging lol 


     


    I gather Apple could use this as a soft passcode approach, whereby a password would be required to access sensitive data on the phone or to unlock it.  However, if the data is kept only on the phone, then the phone would have to be hacked to gain the biometric data, and having a hacked phone circumvents the need to gain the biometric data to hack the phone. Although if getting to your biometric data is the objective and the phone is easier to hack than a back, then that is a problem also. 


     


    I guess to be sure, we need finger, voice, retina, and a password. Or no phone at all :P 

  • Reply 67 of 130

    Quote:

    Originally Posted by AnalogJack View Post


    ...could be difficult for competing Android and Windows Phone devices to copy...


     


     


    This is a gratuitously insulting statement. Samsung is one of the most innovative companies on the planet, they have a tried and true strategy already in place. They simply copy it now and work out the detail later in the courtroom.



     


    I agree. That has worked well thus far, why change it? :P 


     


    Oh, and much cheaper than all that pesky R&D stuff. 

  • Reply 68 of 130
    MarvinMarvin Posts: 15,409moderator
    blah64 wrote:
    People need to stop and think about this:
    - when your password is compromised, you can make a new one in 5 minutes.
    - what do you do when your fingerprint is compromised?

    The other thing to consider though is that people have to remember passwords and because of the rise in computing power, we need longer and longer ones:

    http://news.cnet.com/8301-1009_3-57558223-83/no-password-is-safe-from-this-new-25-gpu-computer-cluster/

    "Using a brute force method, the cluster is capable of guessing every single eight-character password containing letters, numbers, and symbols in 5.5 hours. The cluster is running Virtual OpenCL, a platform that makes the GPUs believe they're all functioning together in a desktop computer"

    And they wouldn't use brute force normally so you can bet even longer passwords are feasible these days.

    I don't like usernames and passwords either and static data like biometrics is not enough. Biometrics would work if the scanner could test vital signs. In other words, you'd only pass a retinal scan if the scanner could verify that it was sampling an actual eye and not being tricked with just the data. But obviously computers can be tricked in many ways so that's a very difficult problem to overcome.

    If we stick with passwords, we're going to need something a lot better than just remembering longer phrases. At the very least to save time typing it in.

    One approach to get round the passwords might be the following:

    - there could be a very large encryption key in a file on a smartphone or computer protected with a simple gesture or code
    - there would be a similarly large key on the server
    - when you go to authenticate something online, they'd send a random message to you that has been operated on using the server key
    - you would then take that message, type in your simple passcode and allow your smartphone to operate on the message using your local key
    - once the server gets the message back again, it can tell the local key and server key match

    This is basically what can be used for SSH authentication:

    https://wiki.archlinux.org/index.php/SSH_Keys

    but it protects your local keys behind a simple protection.

    No server exploits are possible because a hacker would only get a single key. If someone steals your phone or computer, they'd have to guess the gesture or keycode to decrypt the larger key and still have to figure out what services the person used and possibly their username. By that time, the victim of the theft simply gets a new key issued without having to guess a new passcode or gesture. Multiple complex keys can be stored behind a basic local barrier and this barrier could even be a biometric one. This biometric data would never be sent to a server. Biometrics plus a simple pass key or gesture would be even stronger.

    I personally get tired of using password schemes. I make up unique passwords for about 20 or so services and then write them in a local encrypted dmg with a strong code in case I forget but it's such a pain having to remember them all. The benefit to passwords and biometrics alone is that you always have them with you so you could log into a service from another computer but I think we're going to have to start using longer computer generated keys and they can be put on SD cards if needs be.
  • Reply 69 of 130
    alexmitalexmit Posts: 112member
    Nowhere in the article does it say that usernames and passwords would be replaced globally across all apps in the phone. Nor does it state so. This could start by simply replacing a passcode to unlock your phone, which would be quite handy. Of course it would be nice to go password-less across the board. That is not mentioned or implied here.
  • Reply 70 of 130
    MarvinMarvin Posts: 15,409moderator
    alexmit wrote: »
    Nowhere in the article does it say that usernames and passwords would be replaced globally across all apps in the phone. Nor does it state so. This could start by simply replacing a passcode to unlock your phone, which would be quite handy. Of course it would be nice to go password-less across the board. That is not mentioned or implied here.

    Yes, in its simplest form, it would be an authentication process as soon as you tap the home button without requiring a passcode. The extension to simplifying online passwords is just a need that it might be able to help with in some way. Apple's advantage has always been doing the software and hardware together so there can be uses beyond the unlock. It can be used to authenticate App Store purchases or any number of things if it's done in the right way.
  • Reply 71 of 130

    Quote:

    Originally Posted by Blah64 View Post


     


    Numbered above to reply:


     


    1) It may be cool tech, but scary/creepy.


     


    I cannot believe there isn't one single response so far that even considers the fact that having your fingerprints in a mobile device is extremely creepy from a privacy standpoint.  Fingerprints are used to track criminals, not "regular" folks, egads.


     


    2) This is the only thing I've seen in all 61 posts so far that even hints at the biggest problem.  For that, you get props.


     


    Everyone, listen: you, as a user, have virtually zero control or even knowledge of what data goes out to application providers on your mobile device.  With ANY app, period.  Certain bits of data have some minor protections built into the OS, but in general, you should consider almost anything you put into your mobile device to be available to at the very least the authors of the app.  Once your data has reached their servers, you might as well consider it public information.  It may not happen this week or even this year, but data that sits on servers connected to the internet is almost always eventually either sold, misused or pilfered.


     


    I do not want my fingerprints (or faceprint, for that matter) to be tracked and sold by ANYONE, and I can't understand why no one is paying attention to this.


     


    3) This makes some sense.  The problem is in keeping that data local to the device.  I just don't know how it's possible to be assured of that over time.


     


    4) I don't agree.  It would then be a single point of failure for virtually anything and everything you do on your mobile device.  Never a good idea from a security standpoint.  But it seems these days people in their never ending quest to save 3 seconds, ignore security (and privacy) issues.  Very sad.



     


    Fingerprint/Faceprint systems do not store images of your finger/face. They store a small set of "vectors" extracted from the image by the recognition algorithms, which are then encrypted. Even if you decrypted the vectors, you would not be able to recreate the original finger/face image. In addition, the "feature space" of a finger/faceprint is much larger than that of a typical password (which might be only six characters long, consisting of only letters and numbers for a "space" of 26 to the 6th power. These vectors are akin to the hashes that password based systems store. Compromising such a system does not reveal passwords, just the hashes for them. If the hash key is large enough, it is computationally impractical to work out the original password, unless it's in any of the widely available online dictionaries. The vastly larger feature space of a set of finger/face vectors makes brute force decryption impractical. As your fingerprint vectors would never leave the phone, there would be no chance of building dictionaries of them on the web.


     


    The benefit of Authentec's sensing technology is that it requires a physical finger. It is not an optical sensor, so a photograph of a fingertip cannot fool it.


     


    When you present your finger/face to a recognition system, it extracts the vectors from the image it takes of your finger/face and computes a degree of fit with those vector sets it knows. If the system accepts a large number of authorized users (for example a building security system), it must find the best fit from amongst a large collection of vector sets, which often produces recognition errors. If the system is simply checking for the presence of one or two owners, recognition accuracy can be quite high.


     


    To use a fingerprint sensor as the key to opening a Keychain like password system makes sense to me. The vagaries of various website and app password systems can be handled by the internal plumbing of Keychain. Rather than annoying me with constant prompts to enter my user/admin password, a quick press of the home button (or some region of the screen) seems both easier and less prone to hacking. You can't look over my shoulder to learn the physical characteristics of my fingertip. You can see what I type.

  • Reply 72 of 130
    It seems to me that if true the fingerprint scan would only be used to unlock your iPhone - and perhaps leap into Siri. It doesn't make sense to me that you would be asked to press the home button when visiting a web page or within an app in lieu of entering a password, as pressing the home button returns you to the home screen and always has done. It seems like a good idea to me, especially since in order to access work email on my phone the company imposes a long Passcode lock policy. I'm also shocked at how many people I know who have no Passcode lock at all on their phone, despite the sheer amount of information stored on iPhones from email to banking etc.
  • Reply 73 of 130
    I am getting real big of the home button to support multi touch gestures.(same tech. in Mac trackpad.
  • Reply 74 of 130
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by Richard Getz View Post


     


    why not make the home button the same as the screen, much like the glass trackpad? Actually, if they made the home button as a mini trackpad, that would allow swipe gestures also. 



     


    Well it wouldn't be a button if it was part of the screen.  One of it's uses is that it allows blind people to use the phone.  It has to be a physical button for that to work.  

  • Reply 75 of 130
    jason98jason98 Posts: 768member

    Quote:

    Originally Posted by Gazoobee View Post


     


    For reasons to many to mention that have been discussed over and over again ... the Home button is not going anywhere.  It's a central part of the entire design, everyone likes it, and removing it would serve no purpose.  


     


    Also ... edge to edge screens?  What have you been smoking?  



     


    The home button is an archaism. The era of edge-to-edge button-less design is coming and nothing can stop it.


     


  • Reply 76 of 130
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by Blah64 View Post


     


    Numbered above to reply:


     


    1) It may be cool tech, but scary/creepy.


     


    I cannot believe there isn't one single response so far that even considers the fact that having your fingerprints in a mobile device is extremely creepy from a privacy standpoint.  Fingerprints are used to track criminals, not "regular" folks, egads.


     


    2) This is the only thing I've seen in all 61 posts so far that even hints at the biggest problem.  For that, you get props.


     


    Everyone, listen: you, as a user, have virtually zero control or even knowledge of what data goes out to application providers on your mobile device.  With ANY app, period.  Certain bits of data have some minor protections built into the OS, but in general, you should consider almost anything you put into your mobile device to be available to at the very least the authors of the app.  Once your data has reached their servers, you might as well consider it public information.  It may not happen this week or even this year, but data that sits on servers connected to the internet is almost always eventually either sold, misused or pilfered.


     


    I do not want my fingerprints (or faceprint, for that matter) to be tracked and sold by ANYONE, and I can't understand why no one is paying attention to this.


     


    3) This makes some sense.  The problem is in keeping that data local to the device.  I just don't know how it's possible to be assured of that over time.


     


    4) I don't agree.  It would then be a single point of failure for virtually anything and everything you do on your mobile device.  Never a good idea from a security standpoint.  But it seems these days people in their never ending quest to save 3 seconds, ignore security (and privacy) issues.  Very sad.



     


    No personal insult intended here but this is all paranoid nonsense IMO.  Why exactly would this be "creepy"?  


     


    I remember this was a common point of view in the 1970's but I think we've kind of moved on from there.  I also think your assessment of what information can be extracted from the phone by app developers to be over-the-top and likely based more on fear than facts.  


     


    My only concern with this tech is the fact that the ones I've tried always want you to use the fingerprint on your index finger, and I don't happen to have one.  So that's always kind of frustrating. I trust Apple will give us the option of which finger to use however, as they usually think of things like that.   image

  • Reply 77 of 130
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by jason98 View Post


     


    The home button is an archaism. The era of edge-to-edge button-less design is coming and nothing can stop it.


     




     


    Only if you believe everything you read on the web verbatim.  Which it seems you do.  image


     


    Wait a minute ... you just read what I wrote on the web and you *didn't* believe it.  


     


    Hmmm .... It must be that you just believe everything you read that has cool renders and video attached.  


    Yeah, that's it.  

  • Reply 78 of 130
    charlitunacharlituna Posts: 7,217member
    What if this isn't about security so much as recognizing when a finger is placed on a certain area. To create a 'virtual' home button rather than a physical one. They could move the hard reset to say pressing both volume buttons at the same time or some such. Or that could be taking a screen shot and do it with the sleep button for the reset.
  • Reply 79 of 130
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by markbriton View Post



    ... I'm also shocked at how many people I know who have no Passcode lock at all on their phone, despite the sheer amount of information stored on iPhones from email to banking etc.


     


    Well, there is no way to store your passwords on the phone.  Unless you are foolish enough to put them in a text file.  


    So it's not like possession of the phone equals possession of access to your bank.  


     


    I like your analysis of the home button as fingerprint scanner issue though.  I think you are 100% correct on that. 

  • Reply 80 of 130
    kdarlingkdarling Posts: 1,640member


    This reminds me of the fingertip pattern unlocking that was popular on touch PDAs for a short while around the turn of the century.


     


    A whole mini-industry and lots of scientific research sprang up over what patterns were most secure, etc.  


     


    Then, of course, people belatedly noticed that their fingers left a grease trail that showed what the unlock pattern was.  D'oh!!   Since a stylus was usually used for every other interaction, the unlock pattern was clear as a bell.


     


    After that, pattern unlocking disappeared as a security option for a long time.   Even Apple didn't use it for security, but instead just used it for simple unlock.


     


    --


     


    Re: fingerprints.  Cheap visual sensors can be fooled.  Better ones look for live person hints, like perhaps body heat.  Some have very fine capacitive sensors that actually map out the live person's fingerprint ridges.   In other words, a picture or even a cut-off finger won't work.


     


    In any case, as others have pointed out, they shouldn't worry about a bio-metric theft or sales situation.  This kind of info is usually kept only inside that particular device.  If you use a different device, you'll need to enter your fingerprint again.

Sign In or Register to comment.