Fingerprints Are More Secure than Passcodes, but Apple May Overestimate Our Trust

Apple is one of the major tech companies under huge pressure to reveal what it knew about the U.S. National Security Agency's PRISM spying program (as revealed by British newspaper The Guardian) and what information they handed over to the NSA and other security agencies. Despite all the assurances given by Apple, the introduction of fingerprint scanning as part of iOS7 is likely to cause concern for many.

The Guardian disclosed in June that "the National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants", and Apple CEO Tim Cook has even met President Obama, seemingly to discuss the issue. Publicly, Apple, like most of the accused companies, has denied giving the NSA direct access, saying that it complies with individual requests as the law requires.

It is in this context that Apple made security updates to its iPhone line on Tuesday. As a result, when it made the expected announcement that the iPhone 5s would include a fingerprint sensor, Apple was unsurprisingly keen to emphasize that the fingerprint would never be stored or backed up in the cloud.

In the company's press release, Apple said that fingerprints will be, "encrypted and stored securely in the Secure Enclave inside the A7 chip on the iPhone 5s; it’s never stored on Apple servers or backed up to iCloud."

The company specified that apps will not have access to the fingerprint, as well. It will, though, be possible to purchase apps and other content like music and movies in the app store using the fingerprint authentication. Other payments will not yet be possible through fingerprint authentication, although Apple introducing it in its own store gives a strong indication that soon iPhones will be able to authenticate payments on other services by touch. 

Touch ID will be part of the home button. Authentication is made by 500ppi scanner, which gives a high level of scanning beyond the surface of thumb. Wired explains:

The button is made of sapphire crystal, one of the hardest [and] clearest materials available. The steel ring detects your finger using capacitive touch. The sensor analyzes your print, categorizing it by arch, loop, or whorl. It inspects minor variance in ridge direction, among other details.

While it is an important move for Apple to say that the fingerprint is only stored on one device and is accessible only by the iTunes Store, I think the company will have to do more to quell some of the security fears around this feature. After the Snowden revelations the tech savvy portion of the public is increasingly cynical about handing over personal data, and there is little more personal than a fingerprint.

It feels to me like there has been a dramatic loss of trust in our favorite tech brands, and we are increasingly concerned about how we as consumers are also becoming the product. Whereas previously many people would have happily embraced the new technology, now there is a greater questioning of Apple's motive, and distrust of what we are being told. Just because Apple says that it will not store our data, that there is no online database, that doesn't necessarily mean we believe it.

For instance, this image was posted (and received a lot of attention) at image sharing service Imgur just a few hours after Apple's media event:

As well as fears about the NSA getting hold of people's fingerprints, and all the implications that that has, concerns have also been raised that the inclusion of fingerprint sensing could lead to criminals harming people in order to get hold of thumb prints instead of just stealing the iPhone. Sensors are apparently increasingly able to differentiate between a 'live' thumb and a 'dead' one, which will hopefully put off any particularly unpleasant phone thieves.

Overall, a fingerprint is much more secure than a password. Consequently, the fears of security services and others getting hold of it are greater, but so are the benefits to the consumer. Not only is touching the home button easier than remembering a password, it's not like someone can guess your fingerprint.

Ultimately, there are many people who do not bother to use passwords on their iPhone, and Apple likely hopes that but simplifying authentication by using touch, more users will improve their devices' security. However, before we all scan our fingerprints, Apple is going to have to do a lot of work to allay the real privacy concerns that still remain.

Read more on Touch ID on TMO.