Touch ID reminder: Convenient security is a fence, not a fortress

Don't believe the hype - Here's what you need to know about the strengths and weaknesses of Apple's new Touch ID biometric fingerprint ID sensor

Touch ID - Apple's new biometric fingerprint and other anatomy ID sensor - has reportedly been spoofed by a team using well known fingerprint reproduction techniques. This will no doubt get a lot of media attention, and also generate a lot of dumb media reports. Unfortunately, it'll also confuse, scare, and stress a lot of people who just want to use their phones and live their lives. So, is there anything anyone should really be concerned about?

Well, first and if nothing else, this should serve as a powerful reminder that no convenient security system is foolproof. And, the more convenient the security system, the less foolproof. A fence only stops those people who lack motivation enough to climb it. A lock, only those people who lack motivation enough to pick it. A vault, only those who lack motivation enough to blow it. You get the idea.

Second, it's important to understand the basics of how Touch ID works so you can understand its inherent strengths and limitations. Any physical security system can be attacked physically. You can be overpowered and have your finger forced onto the Touch ID sensor. You can be asleep or rendered concussively or chemically unconscious and have your finger placed onto the sensor. Likewise, any informational security system can be attacked informationally. You can have your Passcode spied on, seduced, intimidated, or otherwise tricked out of you. The single best way to get someone's password is still to ask them for it.

For people for whom security is more important than convenience, it'd be nice if Apple added an option to demand Touch ID (something you are) and a Passcode (something you know). It'd also be nice to include a Trusted Bluetooth LE device (something you have) thrown in for tinfoil hat trifecta as well. So far, however, Apple is skewing towards the 80% who simply want and need basic level protection, not the 20% who might want Fort Knox. No surprise there.

So, for most people most of the time, know the risks, make an informed decision, and ignore the internet crazy. Touch ID is probably has a better security-to-convenience ratio than either a 4-digit numeric password or 63-character pseudo-random password. But everything has an opportunity cost, every advantage comes with a drawback.

By all means use Touch ID. Just understand it.