HT204587: About Touch ID security on iPhone and iPad

Learn about About Touch ID security on iPhone and iPad
jmillernj

Q: Security when using fingerprint to login on a public wireless network

When using the Iphone6 fingerprint sensor to log in on a public wireless network, can a network hacker intercept and replicate the fingerprint login credentials?

Posted on Jan 8, 2016 8:46 PM

Close

Q: Security when using fingerprint to login on a public wireless network

  • All replies
  • Helpful answers

  • by sberman,Helpful

    sberman sberman Jan 9, 2016 6:42 AM in response to jmillernj
    Level 8 (40,195 points)
    Jan 9, 2016 6:42 AM in response to jmillernj

    No.

     

    See the "Secure Enclave" section of the article you attached above.

  • by jmillernj,Helpful

    jmillernj jmillernj Jan 9, 2016 6:53 AM in response to sberman
    Level 1 (0 points)
    Jan 9, 2016 6:53 AM in response to sberman

    Thanks for the response. However, unless the encryption key is dynamic and changes each time the fingerprint is used, it won't be secure. So, is the fingerprint encoded differently on each use?

  • by Michael Black,

    Michael Black Michael Black Jan 9, 2016 7:26 AM in response to jmillernj
    Level 7 (24,763 points)
    Jan 9, 2016 7:26 AM in response to jmillernj

    I don't think you've read and understand how the fingerprint sensor actually works. The fingerprint sensor communicates with the encryption chip and firmware in the device only. It never transmits anything anywhere.

     

    When using the finger print sensor with 3rd party apps, all the finger print sensor does is act as a device proxy to release and use your passcode stored in the encrypted data with the app or service. It saves you having to type your passcode in the app or service login, but the fingerprint itself is only used locally on the device to authenticate the user for permission to use the security settings of the app.

     

    So your fingerprint data is NOT what is ultimately authenticating with the app or service. That part is still handled by whatever password or token the app or system normally uses. All your fingerprint does is authenticate you with the device to release the app or service to continue and authenticate its connection.  The fingerprint functions as a local device security proxy for those apps and services - it does not replace their original security method or model.

  • by jmillernj,

    jmillernj jmillernj Jan 10, 2016 1:13 PM in response to Michael Black
    Level 1 (0 points)
    Jan 10, 2016 1:13 PM in response to Michael Black

    Michael

     

    Thanks for the explanation. However, I think the question I was really trying to ask is "am I any more secure on a public wifi with the fingerprint vs just typing in a password". I think the answer is NO - that both methods leave me more exposed to getting hacked as compared to logging in from my private wifi w/WPA2.

  • by Michael Black,

    Michael Black Michael Black Jan 10, 2016 1:45 PM in response to jmillernj
    Level 7 (24,763 points)
    Jan 10, 2016 1:45 PM in response to jmillernj

    jmillernj wrote:

     

    Michael

     

    Thanks for the explanation. However, I think the question I was really trying to ask is "am I any more secure on a public wifi with the fingerprint vs just typing in a password". I think the answer is NO - that both methods leave me more exposed to getting hacked as compared to logging in from my private wifi w/WPA2.

    Well, sure, any public wifi will typically be less secure than your own personal and locked down and secured wifi node that you yourself have physical control over.

  • by Lawrence Finch,

    Lawrence Finch Lawrence Finch Jan 10, 2016 2:01 PM in response to jmillernj
    Level 8 (38,076 points)
    Mac OS X
    Jan 10, 2016 2:01 PM in response to jmillernj

    jmillernj wrote:

     

    Michael

     

    Thanks for the explanation. However, I think the question I was really trying to ask is "am I any more secure on a public wifi with the fingerprint vs just typing in a password". I think the answer is NO - that both methods leave me more exposed to getting hacked as compared to logging in from my private wifi w/WPA2.

    If log in to a TLS protected web site (https://) your access will be secure, even over an open network. Apple requires all apps that access Internet services to use TLS encryption, so apps that use either passwords or fingerprints to unlock the app will also be secure. Thus, neither method leaves you exposed to getting hacked.