Skip to content

Threat Modeling Against Apple’s TouchID

Screen Shot 2013-09-23 at 6.37.49 AM

InfoSec is usually a sliding bar between usability and security. When you gain one, you lose the other.

4-digit pins are more secure than having no passcode, but they’re more annoying to use. And having no passcode at all is maximally simple, but offers no security.

TouchID

Apple’s TouchID, which just launched on the iPhone 5s looked to do something that isn’t often accomplished, which is to simultaneously improve both ease of use and security.

Compared to having no passcode whatsoever, using TouchID is slightly more complicated–but not much. But compared to using a 4-digit passcode (which is what most people had, if anything), both simplicity and security were improved.

Threat modeling vs. a mobile phone

In order to say “security was improved”, one must ask, “improved against what?” Threats matter. So let’s take a quick look at what the threats are against 99% of mobile phones:

  1. Friends / Acquaintances / Significant Others snooping on your device
  2. Theft of the device by common, opportunist criminals
  3. Targeting of your data by sophisticated attackers (criminals/government/etc.)

Looking at these three categories the point should leap out at you:

TouchID was designed to counter the top two threats (acquaintances and common thieves), not sophisticated criminals. Those in the third threat class are not going to be stopped by either a passcode or a fingerprint because they have other ways of getting that data.

Is it anyone’s honest opinion that when faced with an advanced attacker targeting your data, it’ll be the passcode on your mobile phone that will protect you?

In short, TouchID fails only in the scenarios where it could not possibly succeed, and where there are few good options in any case.

But for the situations it was built for, i.e. keeping the opportunist criminal and the overly curious from accessing your device, it advances the game in both security and simplicity.