Remember Apple’s TouchID sensor, which created quite a stir way back in 2013 when the iPhone 5s came out with a home button that could also read your fingerprint?
It wasn’t that having a fingerprint scanner was a new thing, even in 2013, but that the integration of the home button and the biometric sensor was a neat move by Apple.
After all, the first thing iPhone users typically did in 2013 was to click the home button to wake up their phone, popping up the unlock screen if they had been diligent enough to set a lock code.
But lots of users – notably including Marissa Mayer, then CEO of Yahoo! – didn’t set lock codes, because just pressing the home button was time-consuming enough.
So making the home button double up as a biometric authentication device was a handy way of bypassing the resistance of users who were determined to resist the use of lock codes…
…because it gave them a way to have their cybersecurity cake without having to take the time to eat it too.
Of course, not everyone was delighted at the idea, for several intriguing reasons, including:
- What if a court compelled you to unlock your phone with your fingerprint? In the USA, for example, would fingerprint unlock “codes” enjoy the same Fifth Amendment protection against self-incrimination as numeric or alphabetic lock codes? Would “something you have” be protected under the right to silence in the same way as “something you know”?
- What if your fingerprint data were stolen? Lock codes and passphrases can easily be changed if you think someone else has phished or stolen them. In the USA, even social security numbers – once regarded as immutable unless you entered a witness protection program – can now be reissued after a cybersecurity compromise. But how would you get new fingerprints?
- What if someone cut off your finger to unlock your phone? The good news here is that dead fingers don’t work for electrical reasons, so there’s not much point in taking such a desperate step. But what if the criminals don’t know that it doesn’t work and try it anyway?
- What if someone were to copy your fingerprint? After all, even though we now know how to do DNA matching, fingerprint evidence is still a handy investigative technique in law enforcement for the very simple reason that we leave copies of our fingerprints quite literally on everything we touch. Gloves might help, but how would you unlock and use your phone then?
Interestingly, the last concern turned out to be well-founded, given that just one week after writing about the launch of the iPhone 5s and its biometric home button, we wrote about how the Chaos Computer Club (CCC) in Germany had announced a way to make fake fingerprints that would fool Apple’s sensor.
Despite the CCC’s widely publicised hack, however, locking your phone with a fingerprint was certainly better than not locking it at all, and the TouchID feature quickly caught on.
How the CCC hack worked. Photograph a fingerprint, e.g. from the glass surface of the phone itself. Invert image to swap round black and white so the valleys are dark and the raised parts are light. Print on laser printer with the toner setting turned right up so the maximum amount of powder gets deposited to form a sort of 2.5-dimensional mould. Cover with wood glue and allow to dry fully. Carefully peel rubbery “fingerprint” off the “mould”. Place fake “fingerprint” on end of real finger. Breathe onto glue so the moisture makes it a tiny bit conductive. Swipe to unlock phone (maybe).
Plus ça change…
But TouchID didn’t last long, except on low-end Apple devices.
The problem was not so much that users fell out with the idea of using fingerprints as a shortcut to unlock their devices, but that they fell out with the idea of having a pesky home button at all, right where there could otherwise be more screen space.
So TouchID morphed into FaceID, using the front-facing camera, now integrated into a notch at the top of the screen.
Instead of matching some kind of digital hash of your fingerprint, the phone matched up a post-processed image of your face instead.
Swipe on the screen instead of pressing home, look into the camera instead of positioning your finger, and “boop,” you’re in.
…plus c’est la même chose
So we were surprised to see the rumour mill going into overdrive recently to claim that this year’s new iPhone models, presumably the “iPhone 13” (assuming that’s not considered unlucky in the North American market, where hotel elevators always seem to skip from level 12 to level 14), will be going back to TouchID.
Why, you might ask?
Well, the explanatory rumours behind the product rumours are surprisingly believable: even though FaceID seems to manage OK if you’re wearing things like hats, headscarves, headphones or hoodies (specatacles, too)…
…it doesn’t deal well with facemasks, which are commonplace these days as a sensible precaution against accidentally coughing or sneezing out coronavirus germs all over other people or products.
The humble blue paper facemask, it seems, is a great leveller, making us look all-too-similar as far as computer “vision” is concerned.
(Human brains, apparently, have a special section dedicated entirely to distinguishing faces, which is why babies can recognise their mothers long before they can focus their eyes fully.)
Presumably, if the rumours are true, FaceID will not go away (because which mobile phone vendor would ever consider introducing a new device without a front-facing selfie camera?), but Touch ID will be back.
You won’t have to use it
Frankly, we prefer typed-in lock codes anyway – long enough that every digit is used at least once so that the grease-spots on the screen don’t give away which numbers aren’t in the passcode.
We find it easier to tap in the passcode with one hand while the phone is sitting flat on our desk next to our laptop, than needing to angle the phone towards us, or lean over the camera, in order to line up our dial with its dial so it can figure out who we are.
It also means we can put duct tape over the selfie camera if we feel like it. (To be honest, we’ve never bothered, but we could if we wanted!)
Robin Wilkinson
Excellent article as per normal thank you
Paul Ducklin
Thanks, glad you enjoyed it!
Matthew
There’s more to FaceID than just the front facing camera on IOS. On top of the front camera at the top there is also a flood illuminator, dot projector, and a infrared camera all which play a part in FaceID.
I don’t think the question would be if Apple would remove the front facing camera on their next device but, whether they see if fit to keep manufacturing and working in the other pieces of tech when they’ve built in a different way for people to unlock their device.
I would love to see both. Making the device easier to unlock in a plethora of situations is what I think is best. I’m just not sure Apple can justify the cost of doing both methods going into the future
Bryan
bypassing the resistance
…I see what you did there.
:,)
Bryan
But how would you get new fingerprints?
This question is answered in the next question about chopped fingers.
However, the reality is that no one had an excuse in 2013 to shove that question at Apple.
Men in Black came out in 1997–in 16 short years, poor Agent J would no longer be able to get into his iPhone.
Slow Joe Crow
If facemasks become the norm then both Apple Face ID and Windows Hello lose their utility. The same applies to high security environments that forbid cameras. Retinal scanning or vein patterns might be an option but add complexity and cost. I haven’t trusted fingerprint scanners since a Japanese researcher made fake prints out of gelatin years ago.
Personally I don’t use biometrics because as a US citizen I don’t want to give police access to my device. Current jurisprudence is that they cannot force you to give up a password but most courts consider a fingerprint as analogous to a house key so the cops can make you swipe to unlock..
Paul Ducklin
Retinal scanning was all the rage in the late 1990s. It was ready to revolutionise cybersecurity, and some banks even did tests with ATMs (cash machines) that suggested the authentication part was very reliable…
…but for obvious reasons (given that the retina is at the back of the eye), you had to put your eye right up to the scanner for the optical part to work. And as anyone who has ever had pinkeye (conjunctivitis) will gladly tell you, you might want to avoid doing that.
So, after a couple of years of hearing enthusiastic reports that I should “watch this space” for news of the widespread adoption of retinal scanning in what was then the new millennium… crickets fo r the 20 years that have followed :-)