Wednesday, 11 September 2013

iPhone 5S Touch ID - What Apple announced (how much did I get right)

AT 10am EDT yesterday (10/09/2013) Apple held their latest event to announce two new iPhones (iPhone 5S and iPhone 5C) and the latest version of iOS (iOS 7). The event coincided with my attendance at a school information meeting. I thought it wise not to follow Twitter on how the event was progressing even though I was itching to find out whether the fingerprint sensor had made it to the phone - besides, the school hall has awful mobile reception.

The previous day (09/09/2013) I wrote a blog making predictions on how Apple would utilise the fingerprint sensor. So how did I do?

First, let's take a look at what Apple announced yesterday.

What Apple Announced?

Source: Apple
Along with a faster processor and the next version of iOs (iOS 7) Apple announced the fruits of their AuthenTec acquisition, Touch ID - "a new fingerprint identity sensor". In other words an optical fingerprint sensor embedded underneath the Home button of the iPhone 5S.

In a video released to coincide with the announcement, Apple's chief design guru, Jony Ive, emphasises that Touch ID is more about convenience than security by saying that it "enhances the user's experience" and "is the next step in using your iPhone" as well as "protecting all of the information" held on the phone.

Touch ID will have two functions at lauch:

  1. Unlock the phone (iPhone Passcode replacement)
  2. Authenticate into iTunes (Apple ID Passcode replacement)

How does it work?
Once a user has enrolled (a user can enrol a single or multiple fingers) with Touch ID they can then replace the Passcode to unlock a locked device with the touch of their enrolled finger(s). One of the issues of previous smartphones with embedded fingerprint sensors (including the Atrix 4G) was a lack of other supporting functionality outside of the unlock phone feature. Apple have taken a positive step forwards by also allowing the fingerprint to provide authentication for iTunes payments - replacing the Apple ID password with the fingerprint. Is this the entry point (or pilot) for Apple's fingerprint-authenticated mPayments and will Apple store payments come next?

As with any embedded fingerprint sensor the service is a combination of hardware and software. The new Home button is made from sapphire crystal that both protects the sensor and acts as a lens to enhance the fingerprint. A steel ring has been inserted surrounding the button that detects the finger and wakes up the sensor (probably saves the battery). The optical sensor takes a high resolution image of the print (taken from the subepidermal surface of the skin to counteract damaged  and ageing epidermi). The captured image is then compared with the stored template that was captured during the enrolment process.

Is it secure?
According to Apple, all fingerprint information is encrypted and stored securely in a 'Secure Enclave' on the new A7 chip. Details of this process have not yet been released but I am guessing that a unique key is used for this encryption. There is also mention on whether the hardware protecting the template is FIPS 140-2 compliant. 

Dan Riccio, SVP, Hardware Engineering, Apple, has stated that the template is "never accessible by other software, never stored on Apple's servers or backed up to the iCloud". Expect to see these these claims coming under the microscopes of security researchers eager to test out this latest piece of security kit.

No security is 100% secure and optical fingerprint sensors are no exception. There have been a number of well-documented replay and relay attacks on sensors that can circumvent the security or the security process that supports the sensor. I am pretty sure that Touch ID will be successfully targeted and we will see the tech and national press quick to highlight the security failings of Apple's flagship iPhone. The question is whether these attacks can be replicated by the average thief  (hundreds of iPhones are stolen on a daily basis). Are we also going to see phone thieves force their users to unlock their devices with their fingerprints or even chop off a finger, as Lookout Mobile Security's Marc Rogers suggests in this interview with the Mirror newspaper. Possibly, but it will be tricky for a violent thief to do this as which finger has the user enrolled? However, if this does happen than it could end up being a PR disaster for Apple.  

It is also interesting to hear Apple emphasise features such as convenience and user convenience, not security or theft deterrence. If Touch ID is accurate and speedy, iPhone unlocks and iTunes transactions will be performed at a faster rate than those performed by password-verification. 

Did I get my predictions right?
Yesterday I predicted that:
  • Apple would release an iPhone with an embedded fingerprint sensor contained in the home button
  • The main uses of the fingerprint sensor would be:
    • To protect the device (phone unlock)
    • Link to iTunes for authentication
    • Enable mobile payments using the iTunes account at Apple stores
  • It wont be opened up to third party developers at launch
4 out of 5 isn't bad and I feel that if there is a positive reception from iPhone 5S users to Touch ID then Apple will look to other services being included in the service and one of these will be mPayments at physical stores. 

I am also confident that we will see this technology embedded within other Apple devices including both the iPad and the iPad mini.

How many iPhone 5S's will Apple sell and what does it mean for the mobile biometric market?
There is a feeling that the lower-priced iPhone 5C will sell more than the Touch-ID equipped 5S but how many units will Apple shift? On its launch last year the iPhone 5 sold more than 5 million units in its first weekend. The last official figures from Apple for Q3 2013 stated that 31.2 million iPhone were sold around the world (that's going to be mixture of 4's, 4S's and 5's).

Based on these figures I am estimating over 20 million iPhone 5S units will be sold around the world by the end of Christmas 2013 - that's a lot of fingerprint sensors. That's more mobile fingerprint sensors than AuthenTec had shipped before being sold to Apple.

Back in 2011 I forecast that there would be 19.4 million mobile devices shipping with embedded fingerprint sensors by 2015. Apple are probably going to blow that forecast in a single quarter.

As a result of this momentous news for the biometrics industry I am going to revise the forecasts from 2011 and publish these in the coming weeks. I feel that Touch ID will have a direct impact on the biometrics industry in general and in particular the mobile biometrics industry. Other mobile phone manufacturers will probably follow-suit with similar solutions, not just fingerprint. Apple also acquired a lot of  fingerprint IP when they purchased AuthenTec. This may well restrict what other mobile device ODMs can do with embedded fingerprint sensors.

One this is for certain, the Apple announcement yesterday will propel biometrics into the mainstream. This knock-on effect will not just be for fingerprint sensors but for many other modalities including voice, facial, eye (iris and retina) and other emerging ones such as heart rhythm and behaviour. Linked to attempts to standardise authentication and identity verification (notably The FIDO Alliance) and the movement of identity services to the cloud will bring about a revolution in how we authenticate and identify ourselves for digital services across multiple endpoints (Remember the smart phone is part of a constantly evolving cycle of technology innovation and we are at the beginning of the start of another one - wearable computing).

It is certainly an exciting time for those of us that work in the security and authentication industries.

Alan Goode - September 11 2013

1 comment:

  1. Touch security function in new iPhone model is really cool. I think through this function users information will remain more secure within. It's an exciting option. Looking forward to use it!