Apple details Touch ID and Secure Enclave tech in new security white paper

2

Comments

  • Reply 21 of 47
    solipsismxsolipsismx Posts: 19,566member
    chipsy wrote: »
    What you say could be perfectly right. I assume that PayPal would take into account that if the fingerprint was stolen it could be used for unauthorized transactions (and therefor be also a problem for them). Giving them reason to also be concerned by the storage of the fingerprint on the device itself. We won't know that until the security is fully detailed (but that took a while for Apple as well).

    Your last sentence really is a problem of fingerprint scanners used for security in general.

    I wonder if the Galaxy S5's non-hash scan and visual display of your fingerprint will allow one to take a screenshot and then print out a mold of the image to the appropriate size to bypass the scanner.
  • Reply 22 of 47
    chipsychipsy Posts: 287member
    Quote:
    Originally Posted by SolipsismX View Post





    I wonder if the Galaxy S5's non-hash scan and visual display of your fingerprint will allow one to take a screenshot and then print out a mold of the image to the appropriate size to bypass the scanner.



    Who knows :D. Wouldn't hurt to try I guess :).

    To be clear I'm not defending Samsung's solution here by any means, first and foremost I don't know how it works exactly. If anything I think they should have just left the fingerprint scanner for what it is and try to think of something else. I was just making assumptions based on what I thought financial service providers would look at/be concerned with.

    And like I stated in my comments before, I am really impressed with Apple's security solution as it is well thought out and well executed.

  • Reply 23 of 47
    jungmarkjungmark Posts: 6,705member
    " The system is sensitive enough that the chance of a random match for one finger is 1 in 50,000. "

    NYT headline: iPhone touch ID less secure in major cities.

    Still I wonder what develops from this for Apple.
  • Reply 24 of 47
    solipsismxsolipsismx Posts: 19,566member
    chipsy wrote: »

    To be clear I'm not defending Samsung's solution here by any means, first and foremost I don't know how it works exactly. I was just making assumptions based on what I thought financial service providers would look at/be concerned with.

    I'm with you and I appreciate your balanced response. I have some doubts that Samsung's implementation will have issues for reasons already stated but any final judgement will require waiting to see hands-on tests from users.
  • Reply 25 of 47
    This sounds really impressive and I'm glad Apple considered the shortcomings of previous fingerprint scanners. The Touch ID is supposed to be a feature that "just works", which is a common mantra with all Apple products. I'm curious to know what sort of security Samsung will be implementing in theirs. The swiping readers have been around for an awfully long time though.
  • Reply 26 of 47
    cpsrocpsro Posts: 2,470member

    Just slightly off-topic...

    Originally I experienced significant difficulty with Touch ID. It would work okay for a few hours up to a day or so, after which I'd need to retrain the system completely--and even train on the same digit multiple times (up to the limit of 5) in order to get a decent rate of recognition. Overall the Touch ID experience was unreliable enough that I abandoned its use.

    Recently I revisited Touch ID in iOS 7.1 beta, and I am elated to report Touch ID has worked flawlessly. Through a solid week of usage, I have not had to retrain nor did I need to train on the same digit more than once. I have not once had to enter my passcode. The few times Touch ID didn't work the very first time (in a fraction of a second) was when my digit was obviously moist. Quickly drying off the offending digit or switching to a dry one provided near-instant access. Great job, Apple!

  • Reply 27 of 47
    slurpyslurpy Posts: 5,154member

    Obviously, Apple put a shitload of thought and care into the security and privacy of Touch ID, from all angles, and all aspects. And that came out 5 months ago.  Let's contrast that with the (apparently barely functional and poorly thought out) solution by Samsung- which apparently is integrated with Paypal (a horrendous company from my experience) on day one. Oh, and that can't even authenticate purchases from the official Google store. Did Samsung even mention privacy or security in its briefings? How much access will the OS and 3rd party apps have to the sensor? How is it encrypted? Does anyone even care? Apparently not. Just like everything Samsung does, this was thrown is as a shitty "me too!" after-thought. Apparently, it's nearly impossible to "swipe" the sensor while holding the phone in one hand. How the **** did they think that was ok? Most of the time I can unlock touch ID while pulling it out of my pocket. If I had to use 2 hand, it would defeat the entire purpose. 

     

    If Apple came out with such a solution 5 months ago they would have been absolutely torched in the media. But with Samsung, it's always a free pass. 

  • Reply 28 of 47
    cpsrocpsro Posts: 2,470member
    Quote:

    Originally Posted by Slurpy View Post

     

    If Apple came out with such a solution 5 months ago they would have been absolutely torched in the media. But with Samsung, it's always a free pass. 


    You won't hear Samsung calling it a "free" pass! They pay beaucoup advertising dollars in order to receive blindly favorable press.

  • Reply 29 of 47
    rogifanrogifan Posts: 10,669member
    solipsismx wrote: »
    Coincidence this white paper of a clearly superiour solution has come out right after Samsung introduces their S5 with a fingerprint sensor?
    nope. :smokey:
  • Reply 30 of 47
    rogifanrogifan Posts: 10,669member
    Can someone explain how you use your fingerprint to unlock the S5 one handed? Every video I've seen so far the person is using two hands. Seems inconvenient. Also with Touch ID I don't have to wake my device before unlocking it. I just place my thumb on the home button and quickly push down for a second and it unlocks. With the S5 you have to first wake the device. Another inconvenience.
  • Reply 31 of 47

    If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...

     

    As for concerns about privacy, Lunn says users shouldn't worry.

    "The important thing about this announcement is that none of your biometric data is stored on that phone.

    "It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."

    http://www.smh.com.au/it-pro/business-it/paypal-says-samsung-fingerprint-payments-very-secure-20140227-hve02.html

     

  • Reply 32 of 47
    slurpyslurpy Posts: 5,154member
    Quote:

    Originally Posted by Rogifan View Post



    Can someone explain how you use your fingerprint to unlock the S5 one handed? Every video I've seen so far the person is using two hands. Seems inconvenient. Also with Touch ID I don't have to wake my device before unlocking it. I just place my thumb on the home button and quickly push down for a second and it unlocks. With the S5 you have to first wake the device. Another inconvenience.

     

    All the hands-on impressions say it's close to impossible. That's usability testing for you. 

  • Reply 33 of 47
    johnb0529 wrote: »
    If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...

    <p style="border:0px;color:rgb(93,96,99);margin-bottom:.8em;vertical-align:baseline;">As for concerns about privacy, Lunn says users shouldn't worry.</p>

    <p style="border:0px;color:rgb(93,96,99);margin-bottom:.8em;vertical-align:baseline;">"The important thing about this announcement is that none of your biometric data is stored on that phone.</p>

    <p style="border:0px;color:rgb(93,96,99);margin-bottom:.8em;vertical-align:baseline;">"It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."</p>

    <p style="border:0px;color:rgb(93,96,99);margin-bottom:.8em;vertical-align:baseline;">http://www.smh.com.au/it-pro/business-it/paypal-says-samsung-fingerprint-payments-very-secure-20140227-hve02.html</p>


    That suggests that the Samsung method is an open wound inviting virii.
  • Reply 34 of 47
    slurpyslurpy Posts: 5,154member
    Quote:

    Originally Posted by johnb0529 View Post

     

    If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...

     

    As for concerns about privacy, Lunn says users shouldn't worry.

    "The important thing about this announcement is that none of your biometric data is stored on that phone.

    "It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."

    http://www.smh.com.au/it-pro/business-it/paypal-says-samsung-fingerprint-payments-very-secure-20140227-hve02.html

     


     

    Yeah, thats what I thought. Sounds like a security nightmare. On the iPhone the fingerprint is NEVER transferred while making a purchase. But hey, who gives a **** about security, right? Nobody, when it comes to any company that isn't Apple. 

  • Reply 35 of 47
    slurpy wrote: »
    All the hands-on impressions say it's close to impossible. That's usability testing for you. 

    I thought the general impression is that the Samsung method doesn't function well with two hands either.
  • Reply 36 of 47
    slurpy wrote: »
    Yeah, thats what I thought. Sounds like a security nightmare. On the iPhone the fingerprint is NEVER transferred while making a purchase. But hey, who gives a **** about security, right? Nobody, when it comes to any company that isn't Apple. 


    The articles I have read just question the security aspects lightly while raving about the openness to developers.
  • Reply 37 of 47
    rogifanrogifan Posts: 10,669member
    More about Samsung/PayPal

    [url=http://www.webpronews.com/paypal-will-let-you-approve-payments-using-your-fingerprint-on-the-galaxy-s5-2014-02]WebProNews [/url]clarifies the concern as in a report. It says “the company (paypal) notes that all your financial information is stored in the cloud and never on your device. The fingerprint scanner instantly communicates with the cloud to authorize purchases and doesn’t store biometric data on the device or on PayPal’s servers. In short, the worst that can happen is hackers breaking into PayPal’s servers and stealing your financial information. While that’s certainly bad, they at least won’t have your biometric data which will one day be the most important identifier you have.”
  • Reply 38 of 47
    johnb0529 wrote: »
    If this news article from Sydney is accurate, the S5 will be encrypting your fingerprint and transmitting it to PayPal, which would mean that PalPal would also have a copy of your fingerprints on their servers...unless there is a dual-authentication model, or their scanner is impossible to spoof, seems to be a pretty big door for fraudulent use of PayPal...

    As for concerns about privacy, Lunn says users shouldn't worry.

    "The important thing about this announcement is that none of your biometric data is stored on that phone.

    "It's not storing your fingerprints locally. It takes your fingerprint, encrypts it, sends it to PayPal, they decrypt it, checks it's the same, and then you're authenticated. It's very, very secure."

    http://www.smh.com.au/it-pro/business-it/paypal-says-samsung-fingerprint-payments-very-secure-20140227-hve02.html

    1) So how does the phone simply unlock your device? Does it have to check with PayPal to do that?

    2) Having your fingerprint scanned on one device and then your biometrics sent over the internet to be checked by a copy sitting on a server controlled by a 3rd-party is not good security and users should worry if indeed that is how it works. That said, that is such a wretched design that I doubt that report is accurate.

    3) Apple's setup is so far the best I've seen. They don't store your fingerprint anywhere. Not even on your phone. It's a hash that gets checked and even the path from the Touch ID sensor to the secure enclave millimeters away has a good deal of encryption in place. It's not impossible to break but as previously noted there are easier ways to gain access to one's device.
  • Reply 39 of 47
    I read that Samsung are making their fingerprint scanner available to developers. If that is the case I fail to see how it can be secure.
  • Reply 40 of 47
    Remember when Google brought out face recognition to unlock their devices? I watched the demo on a Google keynote - guess what it failed to unlock the device. Since then I have never seen anyone unlock their device using this method. I don't think many will be using Samsungs fingerprint scanner either.
Sign In or Register to comment.