Why Samsung's fingerprint sensor needs to face the same scrutiny as Apple's Touch ID
Last week the new Galaxy S5 was introduced and, along with it, Samsung's take on the fingerprint identity sensor. Apple, of course, introduced the Touch ID fingerprint identity scanner alongside the iPhone 5s back in September of 2013. From launch, Touch ID received considerable scrutiny over not only its implications but its implementation as well, and not only by the media, but by security researchers and the U.S. government. So, roughly 3 nano-seconds after the Galaxy S5 was swiped on stage, Apple enthusiasts began wondering out loud just when exactly that same scrutiny and attention would hit Samsung. Some felt it wouldn't and that that was unfair. Others felt it wouldn't and that that's perfectly reasonable. My take is that it has to, and not just for the sake of Apple/Samsung fairness, but for consumer confidence and the technology moving forward.
Apple didn't get a letter from a U.S. Senator the moment they announced Touch ID. It took until launch day a week and a half later. Nor did articles showing supposed hacks or spoofs proliferate through the media the same day as the keynote. It took until the iPhone 5s got into people's hands again a week and a half or more later. Samsung has only just announced the Galaxy S5. They haven't shipped it. They haven't even announced a price or put it up for order. People who just want to get on the attention train will wait for launch to make the biggest splash possible. People who just want to audit the security will have to wait to get their own units before they can even start. Unless and until that happens, it's impossible to say what the scrutiny level will be.
Now the HTC One Max shipped with a fingerprint scanner back in October of 2013 and it didn't get anywhere near the scrutiny of Apple's Touch ID. Likewise, Motorola shipped the Atrix back in 2011 and never saw anything like it. But here's the thing: Apple enjoys far greater popularity and attention than any of those companies and the iPhone than any of those products. They weren't front page fodder the way Apple is. And maybe the way Samsung is now as well, or should be.
Part of the narrative for Samsung's fingerprint sensor includes the idea of it "doing more" than Apple's Touch ID. For example, it works in partnership with PayPal and offers developers a way to interface with it. Touch ID does not. That's often how Apple works. Introduce something. Use it internally. Work out any kinks. Then — Siri not withstanding — push it out to developers. Apple wants its APIs to be as solid as possible and you better believe they want the process of handing off Touch ID tokens to be nigh-invulnerable before they let them get anywhere out of Apple's chain.
It's a security-first approach and it makes sense when you're attempting to mainstream a technology like biometrics. When Touch ID launched, Apple not only described how it worked on stage but put up several articles on the web detailing the authentication and authorization process as well. (Following Samsung's announcement, Apple has released even more detailed information about Touch ID's implementation).
I've not been able to find anything similar about the Galaxy S5 fingerprint scanner on Samsung's website. I have no idea what their security chain is or how their sensor works. Is there a secure enclave on their chipset? It seems unlikely since they'll be using two different chipsets, one of which is generic and made by Qualcomm. Will every Samsung sensor be uniquely paired with its chipset and cease functioning if the hardware is swapped? Again, given the manufacturing choices, it seems unlikely. How is the fingerprint data captured? How is it stored? How is it released to Samsung's own apps? To Paypal? To third parties?
I know the time and consideration Apple put into Touch ID, the details they sweated to not only keep the process offline but physically inaccessible to the software in any way beyond the yes/no token. I'd very much like to know the same thing about Samsung's sensor.
Right now the Galaxy S5 gets a free ride on Touch ID's wave. Mainstream media and customers alike will simply think it's the same thing, assume it works just as well, and Samsung will benefit from Apple's priming of the market. But only if it really does work just as well.
That's why I'd like to see a letter from a U.S. senator on Galaxy S5 launch day. I'd like to see security experts and CSI's try to crack, hack, and spoof the hell out of it the way they did Touch ID. I'd like to know if it's vulnerable to software attacks or if someone with a Batcave worth of gear could trick it with a fake fingerprint. I'd like to see all of that reported on with every bit the ferocity Touch ID experienced.
Because the Galaxy S5, like the iPhone 5s will sell in the hundreds of millions. I have friends who are going to buy it and be every bit as excited about their fingerprint sensor as I am about Touch ID. If it's just too fussy to work reliably and they abandon it, that's fine and that's one thing. If it turns out to be insecure, that's something else entirely.
That's something that'll get headlines. Apple and Touch ID will get lumped into those headlines. I'll get panicked calls. And rightly so.
We're at an incredibly exciting point in mobile — the contextual awakening is coming. Ubiquitous mobile payments are coming. Technology is going to change quickly and that's it's going to require a lot of faith and lot of confidence from consumers. If an antenna misfiring is annoying, your wallet getting dropped will be cataclysmic.
It not only serves Samsung's best interests, it not only serves Apple's best interests, it not only serves ever geek futurist's best interests, but it serves the mainstream consumer electronic customer's best interests for the Galaxy S5's fingerprint identity scanner to either be terrific, or be kicked so hard, so fast, that Samsung has no choice but to make it terrific or risk ceding the market to those who can.
For a different, smart take on Galaxy S5 fingerprint sensor scrutiny check out Guy English's piece on Kickingbear.