Touch ID on iPhone 5S: Both a Security Boost and Concern

Apple's newest flagship, the iPhone 5S, features fingerprint-recognition technology in the home button. Cue discussion.

Apple's inclusion of Touch ID, a fingerprint-reading security feature built into the iPhone 5S' home button, is expected to be a winner in the bring-your-own-device (BYOD) space and beyond. Enterprises will feel more confident trading BlackBerry handsets for iPhones, consumers will be pleased to forgo tapping in passcodes, and retailers will delight in making a purchase as simple as a finger swipe.

Still, the solution is not without its critics (or small, nagging doubts), natural responses, given recent revelations about the National Security Agency's practices.

Within minutes of Apple's Sept. 10 announcement, Twitter lit up with comments, ranging from snarky to concerned.

"The NSA unveils its brand-new fingerprint database," Zerohedge Tweeted to his 160,000-plus followers.

Christopher Soghoian, principal technologist at the ACLU, offered a tonal bookend, Tweeting, "Using a fingerprint to unlock a phone (& thus, for disk encryption) seems like a really bad idea, even if the fingerprint data stays on the chip."

Apple worked to address such concerns before they could even be voiced, announcing from the stage Sept. 10 that a user's data never leaves the device.

"All fingerprint information is encrypted," Dan Riccio, Apple senior vice president of hardware engineering, repeats in a video now on the Apple home page. "It's locked away from everything else, accessible only by the Touch ID sensor. It's never available to other software, and it's never stored on Apple's servers or backed up to iCloud."

Gartner Research Vice President Van Baker says there's no reason to doubt Apple's word on this, as any news that such data were being collected would inevitably be revealed and "damage the brand immeasurably."

"As for acceptance of the technology," Baker told eWEEK, "a small percentage of people will reject it because they don't trust it, and a somewhat larger percentage will just find it too much trouble. That said, the number of people that use this security will likely be much larger than the number that uses a passcode."

Avi Greengart, an analyst with Current Analysis who was also at Apple's Cupertino event, says Touch ID is classic Apple—a simple solution to a widespread pain point.

"Securing your device in a quick and easy way solves a real problem for consumers," he told eWEEK. "In my brief hands-on time yesterday, I was astonished at how well Touch ID worked. Consumers are going to love it."

Fingerprints Go Mainstream

With Apple readying to ship the iPhone 5S to more than 100 countries by December, what Touch ID will doubtless do is shift mainstream thinking about security.

"This feature is pivotal for security, and I believe in the future we'll also see these fingerprint scanners extend beyond devices to all apps themselves, as soon you'll be able to make an iTunes purchase with the touch of your finger," Sri Ramanathan, CTO at Kony, a mobile app developer platform, told eWEEK.

He further called it an "exciting move" for Apple.

Nok Nok Labs, an online authentication venture, also had positive words for Touch ID. In a Sept. 10 statement, it described the iPhone 5S as an "important milestone," while calling for better security measures across all platforms.

"According to the latest figures from IDC, iOS represents only 16.9 percent of the global smartphone market," said CEO Philip Dunkelberger. "We need solutions that include all of the different existing platforms—Windows, Android, Linux—as well as considering all types of authentication technologies such as voice, face and secure PIN."

Apple will begin selling the iPhone 5S in the United States and a handful of other countries Sept. 20—at which point the hackers, well- and ill-intentioned, will get to work sizing up the new security feature.

“Fingerprint biometrics is nice, but not a perfect solution, as fingerprints can be dirty or slightly changed to not be recognized. There have been proofs of concept about lifting fingerprints to make copies and unlocking biometric control, but that’s a dedicated attack and the typical user should not worry," Joe Schumacher, security consultant at Neohapsis, a security consulting company, said in a statement.

He added, "I don’t see fingerprint readers replacing passwords. Touch ID is cool and convenient, but ultimately a sales tactic more than a security breakthrough.”

Follow Michelle Maisto on Twitter.