(Dan Tynan) Big news: Apple has just scooped up AuthenTec for nearly $360 million. Why is this important? Because AuthenTec makes fingerprint sensors for use in mobile devices. The implication of this purchase is that future versions of the iPhone and iPad may have a fingerprint reader embedded in them, and that could be a pretty big deal. As Apple goes, so goes the rest of the mobile universe.
In other words, instead of entering an easily hackable or easily forgettable password to unlock your phone or tablet, you’d just stick your thumb on it. Or instead of entering a password on your bank’s Web site – hoping that it’s not really a phishing site in disguise – you’d use a thumbprint, which only the real bank would be able to verify.
Have I mentioned how much passwords suck? I think I have. Biometrics are probably the best solution to avoiding passwords or their clumsy alternatives (like text authentication or RFID fobs), and so Apple’s acquisition of AuthenTec is pretty significant.
Of course, digital fingerprint readers have been around for years, and they haven’t exactly taken off. One reason is that they’ve been kind of wonky. I remember trying out a fingerprint reading device from a company that misfired and being completely locked out of my computer – twice – while on deadline. That was not a pretty phone call to support. I think I chewed out the CEO on that one.
But that was a few years ago. It’s safe to assume they’ve gotten better, and that Apple’s general wizardry with all things tech will make them better still.
There are other problems with fingerprints and other biometrics that are not so easily solved. Two years ago, an Australian high schooler demonstrated you could fool a fingerprint reader using a Gummy Bear. He made a replica of a friend’s fingerprint using the candy, then successfully applied it to a fingerprint reader. It turns out that gelatin – the primary ingredient in Gummy Bears besides sugar – has the same capacitance as human skin.
Fingerprint readers don’t work the same for all people and all ethnicities (really). The drier your skin tends to be, the less reliable they are. If you’ve cut or burned your finger, the print might not be recognizable.
(According to a FAQ on AuthenTec’s site, it uses “sub-surface” technology to evaluate a fingerprint, presumably to detect heat or a pulse, and would not be fooled by the Gummy Bear trick. It also claims to be unaffected by damage or the amount of oil on the skin.)
Let’s assume Apple (or whoever) solves all these problems. The biggest security problem with biometrics is where the matching information is stored. Somewhere there needs to be a database that matches up your fingerprint (or voice print, facial ID, iris scan, gait analysis, etc) with your name and other personal information. If someone hacks that database, they can theoretically swap someone else’s name or biometric signatures in place of yours – completely bollixing your identity in a way that would be difficult if not impossible to recover from. So biometric data is only as secure as the database in which it is stored.
The other big problem with biometrics is the same one that comes from any kind of data retention: Once your fingerprint is captured, who else has access to it? Will that data remain local, or will it be stored in the cloud? Who’s responsible for it? By giving your thumbprint to your iPad, are you also effectively giving it to Uncle Sam, if he shows up at the manufacturer’s door with a warrant?
In short: Who owns your fingers?