| Lookout Blog September 11, 2013

September 11, 2013

Lookout's Take on Fingerprint Passcodes

By Marc Rogers

Apple’s iPhone 5S announcement has everyone asking: will a simple touch of your fingerprint end the days of manually entering a passcode on your device? Probably not. But fingerprint technology is full of exciting promise for mobile security: if implemented correctly, it has the potential to usher in a new generation of secure mobile services.

Long rumored, the new 5S will have a “Touch ID” fingerprint technology built into the home button that will give users the ability to unlock the device with their fingerprint. Fingerprint technology is a great way for passcode-wary consumers to get a dose of security: just over half of people say they use a passcode on their phone today; and of those that don’t use a passcode, many say it’s because it’s inconvenient. With phone theft and loss huge threats to the privacy of your device, setting a passcode is critical. Fingerprint technology helps marry security and convenience, giving people a natural way to build device security into their life.

All technologies have weaknesses, and fingerprint-based biometrics is no different. One serious risk is that fingerprints can be lifted and duplicated. While we can expect the fingerprint scanner in Apple’s latest device to use the most advanced defenses to protect against these types of attack, it’s good to keep in mind that this technology has been circumvented before and is likely to be challenged again.

Despite potential weaknesses, fingerprint-based biometrics offer undoubted opportunities for improved security. Our fingerprints are always with us, and no matter how efficient attacker technology becomes, there will always be a cost in terms of complexity, time and materials for an attacker to duplicate them. By understanding and accounting for the limitations of fingerprint-based biometric security, we can embrace the benefits using it to both enhance mobile device physical security and lay the foundation that could allow us to architect a new generation of secure mobile services. How should fingerprint technology be implemented? While fingerprint security alone shouldn’t be considered sufficient for high security situations, using it as part of “two factor” security where you enhance the fingerprint with an additional security barrier such as a passphrase or pin code will create strong protection that is suitable for even some of the most delicate or risky situations. This is potentially great news for enterprises concerned about the likelihood of corporate data ending up on smartphones as part of BYOD. If you require two factor authentication using the fingerprint and a strong passphrase when the devices is powered up or the first time it is used after a defined period of inactivity you create a level of protection that outstrips what most laptops or desktop PC’s are capable of offering. It could be great news for financial institutions, too, as two factor authentication using biometric information has long been seen as one of the strongest lines of defense against phishing attacks. By allowing developers to leverage this technology as they build applications, Apple could empower developers to create a new generation of secure yet convenient-to-use mobile services. The road ahead won’t be free of challenges. Apple has already overcome one major risk by stating that biometric data will only be stored on the user’s device so as to avoid creating a cloud service that hosts millions of user’s biometric identities, something that would be an irresistible target for both cyber criminals and state sponsored hackers. Now the company will face a second challenge: ensuring that user data is adequately protected on the device itself so that it is secure in the event a device gets stolen. Apple will also have to ensure that a rogue developer cannot use this technology in order to harvest biometric identities as people play their latest innocuous-looking game. The success or failure of fingerprint technology on the iPhone hinges on its implementation - if incorporated correctly, fingerprint security could change the way we look at mobile security; If implemented poorly or made too cumbersome for users, it’s likely to end up a quickly forgotten feature. Only time, and the launch of Apple’s new iPhone, will tell us for sure.


Marc Rogers

Leave a comment



maureen broderick says:

February 24, 2015 at 6:40 pm

Send me a new passcode because I cannot use my phone at all. This just started yesterday. I DO NOT remember signing up the premium lookout to begin with. 7146053066. You can call me on the house phone if need be 7149680161. TMobile could not help me. Very important.

Meghan Kelly says:

February 25, 2015 at 9:44 am

Hi Maureen, I'm just seeing this second comment! Sorry reaching out to the carrier didn't work. I'm passing your note along to our support team now. Hopefully we can get this sorted out.

Meghan Kelly says:

February 25, 2015 at 10:01 am

Maureen, our support team says that we will be sending you instructions and your last pin via the registered email address on your account.

maureen broderick says:

February 24, 2015 at 6:35 pm

Help. I cannot use my cell phone because I DONT have a passcode. This just started yesterday. I cant reach you be phone and I am very upset. My husband is sick in the hospital and I must be able to receive and make phone calls.

Meghan Kelly says:

February 25, 2015 at 9:42 am

Hi Maureen, I'm sorry to hear you're having trouble accessing your phone. I'd bring your phone into your carrier to see if they can help you troubleshoot why you can't make calls. If you believe this is an issue with Lookout, please email us at support [at] lookout [dot] com and include the email address associated with your Lookout account. Sorry again and hope this gets figured out soon!

Kathleen Higgins says:

June 18, 2014 at 11:10 pm

I think we do need to eliminate the need for passwords. However. The manner of fingerprint ID Proof would be ultimately a vauge or extreme underlying discomfort of having accomplished an Orwellian type society after all.

majanjean says:

January 08, 2014 at 4:00 pm

I lost my phone and but I have look out downloaded but not set up. It seems as though the phone fail some where and is on silent but I cannot remember where. Is there anything that can be done remotely to somehow activated it on the phone in order to located. Please let me know thank you

Vancouver Security says:

September 16, 2013 at 3:01 am

I like this new feature on iPhone 5. I hope they will soon fix all the problems related to this new technology, that may really be useful for the users.

+ Load more comments