Skip to main content

Is Touch ID secure enough to keep your iPhone 5s safe?

Don't believe the hype - Here's what you need to know about the strengths and weaknesses of Apple's new Touch ID biometric fingerprint ID sensor

Touch ID - Apple's new biometric fingerprint and other anatomy ID sensor - has reportedly been spoofed by a team using well known fingerprint reproduction techniques. This will no doubt get a lot of media attention, and also generate a lot of dumb media reports. Unfortunately, it'll also confuse, scare, and stress a lot of people who just want to use their phones and live their lives. So, is there anything anyone should really be concerned about?

Well, first and if nothing else, this should serve as a powerful reminder that no convenient security system is foolproof. And, the more convenient the security system, the less foolproof. A fence only stops those people who lack motivation enough to climb it. A lock, only those people who lack motivation enough to pick it. A vault, only those who lack motivation enough to blow it. You get the idea.

Second, it's important to understand the basics of how Touch ID works so you can understand its inherent strengths and limitations. Any physical security system can be attacked physically. You can be overpowered and have your finger forced onto the Touch ID sensor. You can be asleep or rendered concussively or chemically unconscious and have your finger placed onto the sensor. Likewise, any informational security system can be attacked informationally. You can have your Passcode spied on, seduced, intimidated, or otherwise tricked out of you. The single best way to get someone's password is still to ask them for it.

For people for whom security is more important than convenience, it'd be nice if Apple added an option to demand Touch ID (something you are) and a Passcode (something you know). It'd also be nice to include a Trusted Bluetooth LE device (something you have) thrown in for tinfoil hat trifecta as well. So far, however, Apple is skewing towards the 80% who simply want and need basic level protection, not the 20% who might want Fort Knox. No surprise there.

So, for most people most of the time, know the risks, make an informed decision, and ignore the internet crazy. Touch ID is probably has a better security-to-convenience ratio than either a 4-digit numeric password or 63-character pseudo-random password. But everything has an opportunity cost, every advantage comes with a drawback.

By all means use Touch ID. Just understand it.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • They can still our credit cards. Hack our computers. Let's all live under a rock. Who cares!
  • The Chaos Computer Club succeded to unlock an iPhone 5S with a copy of a finger print : Sent from the iMore App
  • And if you read the article you'd see Rene already mentioned that, hence this piece.
  • I think that a lot of people who found a pass code too burdensome might get used to using the fingerprint sensor.
  • Never really found putting in a 4 digit pin tiring or takes too long.. seriously it takes like 2 seconds to put in your pin. The way the tech tech crowd on podcast and on the internet talk as if putting if putting in a pin is so slow. I have never met a single person that has complained about to put in a pin. Majority of people Turn on there phone to check for notifications or check time and all that can be done without having to put in a pin..
  • I have a 6 digit PIN simply because a 4 digit is too simple. Also I think there are a lot of people who never even use a passcode. I also think putting in a PIN is not that much of an inconvenience but I can see Touch ID helping users make the device more secure. Sent from the iMore App
  • The four digit code to unlock the phone is not why the touch id is so handy. It really saves time when you have to enter in your apple id password 10 times before you can download anything from the App store and iTunes. Hopefully it will work with other app too (if it doesn't already)
  • Me. Now you have met me. Using a PIN is a huge annoyance for me. I usually turn on my phone when I'm taking notes regarding a conversation I'm having with someone in front of me. It's a huge inconvenience to have to type in my PIN when they are watching me or to ask them to please turn around or for me to turn around. So I stopped using the PIN. Now that I can use Touch ID, I can keep my phone locked and unlock it without asking people not to look or have to worry if they saw my PIN.
  • Am sure there are people like you who get annoyed. I meant non techie people ie people that don't follow comment on forums or sites like this like we do. Same people who who just want an iPhone cause it's an iPhone those type of people you know. I just feel us techies make a bigger deal out of issues and blow it out of proportion compared to general consumers who don't really care about little things like this. I 100% agree with the purchasing of app especially for those who buy apps regularly this will be a life savor. Just so you know am all for finger print scanners etc just wanted to say in the bigger world outside our group the issue of pin codes wasn't really an issue. I have galaxy s4 and I basically have a pattern lock and it has this setting where it won't lock the phone for set period of time for example am taking notes and then I Quickly got to do something on the laptop and usually when the display times out it would require your to put in your pin butwith this setting on as long as you turn on the display within that set period of time you set it won't ask for a pin. This will only work if the display out but if you put the phone to sleep your self then it will lock strait away. Lol I don't know if I explained that well also it doesn't have to be 5min can be higher or lower. Don't know if this is available on iOS 7 it wasn't when I had the 4.
  • People have been fooling biometrics forever. Don't you people watch movies!! Lol The level of security boils down to how much effort is needed to get passed something. I'd say fingerprint is harder then password. Under most circumstances anyway. I'm still curious whether or not the NSA has access to a database of iphone user biometrics now. They already have retina scans from the front facing cameras and now fingerprints. Alex jones!
  • I also sort of wonder if the NSA can get to the fingerprints. Apple says they are stored securely and nothing has access to that section of the chip. Honestly, the government probably has most of our fingerprints on file for good reasons or bad. Teaching, or any other government job, probably makes you get fingerprinted. I don't think the NSA would want our fingerprints too badly.
  • If the NSA wanted your prints, there are far easier ways for them to acquire your prints than extract them from an iPhone... sheesh...
  • If they were targeting *you* specifically, you are undoubtedly correct. However, the question would be can the current means of storage TouchID uses be co-opted as a vector for the type of large-scale, passive, harvesting-everybody's-communication-in-case-we-need-it-later that NSA has been shown to favor.
  • Exactly, its the just incase spying. And unfortunately they seem to be very good at strong arming the likes of apple, google, microsoft etc. Into handing over whatever they ask. Lets just hope the apple purposely made the information not accessable or something. So they have the answer of "WE CANT GIVE YOU WHAT WE DONT HAVE"
  • Agreed. It would be pretty smart to play the "we can't get to it" card. All comments aside, the touch ID sensor was a very good idea on apple's part. Won't be surprised if we see it on a new iPad or iPod.
  • As an Android user, I've got to admit that unlocking with my fingerprint is really attractive. I don't currently use any lockscreen security because it's intrusive and when I want to use my phone I don't feel that I should have to spend 10 seconds to unlock it. Yes, I can use face unlock. But when I potentially have the ability to just use my thumb or finger to unlock my phone while it is already on the home button. It's something that I'd welcome with open arms. And depending on what Google do with 4.4, it might just mean a move for me.
  • The world is bigger than I am. I don't have that prestigious an appointment in this life to warrant worrying over anybody attempting to wrongfully access anything I have on my iOS device.
    Some people are really special. Sent from the iMore App
  • Apple advertised this precisely as a solution for the 50% of people who don't use a passcode. The videos make it look very convenient. And, it does have the option to be used as a second or third factor in more secure situations. Also, if you want it to be more secure, use your pinky finger to unlock the phone. You leave a lot fewer pinky finger prints around.
  • So lets see, a video with the fallowing details
    -no proof that the "spoofed" print is in fact the index finger and not the middle finger
    -has all actions performed by the same person
    -goes with the basic 0000 4 digit pass code
    -still has a human finger in the equation is supposed to show that Biometrics, in the layout Apple has set up can be bypassed. Sure it can, but this is a controlled environment situation I say for this to be accurate, lets do it right
    -evidence that the print is question has been pulled off an item and is in fact the index finger
    -TWO users!
    -An 8 character Alphanumeric pass code minimal, with only one of the two users knowing and a indipendant 3rd party overseeing to verify
    -Phone has been cycled through a power cycle, forcing the 2nd user who attempts to gain access has to correctly enter in the finger print and not get held up on the 5 attempt pass code 2 level authentication. Who's up for that challenge?
  • "Phone has been cycled through a power cycle, forcing the 2nd user who attempts to gain access has to correctly enter in the finger print and not get held up on the 5 attempt pass code 2 level authentication." Doing a power cycle requires you to put in the Passcode your fingerprint wont work until the Passcode is entered. "Passcode Required After Restarting"
  • "Doing a power cycle requires you to put in the Passcode your fingerprint wont work until the Passcode is entered. "Passcode Required After Restarting" " See, that was my point, you need both items to truly be able to unlock the phone, Apple's own white pages on the matter say as much, which is why I was calling into question the video itself, if the results can be replicated with a situation that has more than one user, more than a 0000 4 digit passcode and is 3rd party verified then I call this confirmed.
  • When I saw the video about getting by the Touch ID I almost laughed because I can just see what's going to happen now. The majority of users out there I'm pretty sure enough no one is going to go through all those hoops to get into the device. Anyone who has information worth going through the trouble would probably have a 16 character secure password or better anyway. Personally anyone willing to go through that much trouble for my phone can go ahead. I just think it's a mountain out of an anthill. Sent from the iMore App
  • Meh. All they'd get from my iPhone is sexts from Scarlett Johansson.
    BFD. My passwords etc. are all encrypted with Splash ID.
    Good luck hacking that.
  • I'd be more concerned that Apple claimed TouchID scanned at the subdermal layer, when it's been proven that it clearly does not. Makes you wonder what else Apple lied about with regards to TouchID.
  • Face it once you lost your phone you are toast with whatever security system installed.
  • I agree with everything apart from one important sentence:
    "So, for most people most of the time, know the risks, make an informed decision, and ignore the internet crazy. " Unfortunately, the writer is over-estimating intelligence levels of the general public, with a potentially disastrous consequence. While some of us may think it's pretty obvious what the risks are, it has to be realised that the general population are, unfortunately, more careless/ignorant than that due to not being technical geniuses like ourselves. My 75 year old grandmother has an iPhone, and so does my 13 year old cousin. Neither of them will have understood the risks that were outlined in this particular post. Do we sit back and allow girls manipulated into doing acts they are opposed to because "they knew the risks of going out with random guys?". No. They need protection from the law, from the pubs/clubs, and from their friends. The analogy was to simply highlight the obvious point here, which is that someone who is relying on touch security alone will do so not realising that if they lose their iPhone, there is a much higher chance that their identity would be stolen than if they had a pin code enabled on the device. We should not assume that most people understand that... That becomes a dangerous world.
  • Tin foil hat, ENGAGE!
  • The one thing I don't understand with the touch id is the fact that when turned on, it still gives the option to put in the 4 digit passcode. Why can't I give a thief no option BUT to have to use the touch id?