back to article Ex-GCHQ boss: Hey, UK.gov, have you heard how crap iPhone biometrics are?

If you're an ex-GCHQ spook, it seems the BBC will leap to attention when you've words of wisdom to impart about mobile security. Dear old Auntie Beeb has reported that former GCHQ boss Sir John Adye doesn’t trust the biometric security in the iPhone 6. As a story it’s got everything: top spy chief with a knighthood, mistrust …

  1. Anonymous Coward
    Anonymous Coward

    A fingerprint is just a pattern, if you reproduce the pattern then you can fool it. If anything I'd say Apple's solution is more a case of weaker security but higher convenience.

    I'd sooner use a password/pin stored in the most securely encrypted device, the brain. I don't think anyone has produced a mind reader yet have they?

    1. Anonymous Coward
      Anonymous Coward

      Except when someone (quite easily) sees you enter your 4 digit pin or many people do not set one at all. So for most, normal users the biometrics on an iPhone are far greater security.

    2. Anonymous Coward
      Anonymous Coward

      Just a pattern?

      Hmm. Sort of, though I gather better versions do things to try and make sure it is a living source, go slightly deeper than just the skin surface etc.. Or can you demonstrate a good photocopy of your finger unlocking a Samsung or iPhone successfully?

      However, even if it were "just a pattern", getting a copy good enough to make a simulation is not totally straightforward and, the real point, it is rather more likely to be used, by the ordinary man in the street, than a number that one can all too easily forget and is probably common to all your credit and debit cards. Most of us admit to limits on our ability to recall lots of numbers accurately, quickly, relevantly. It is also relatively easy to see what is being typed or, on a touch screen work it out later. Rather a lot of people write the number down and "hide" it somewhere in their wallet or handbag.

      The brain, it seems so me, is susceptible to forgetfulness, confusion and idleness.

      I note that another contributor talks of 4 digit numbers. Here, we use six or even eight. I do notice that, in sunny GB, its pot luck whether or not the card readers can handle the full number. Most of those that can not will accept just the first 4 digits. That seems really secure.

      1. Vic

        Re: Just a pattern?

        getting a copy good enough to make a simulation is not totally straightforward

        Not as tricky as you might think

        ISTR reports of them using it to fool sensors, but you can google that for yourselves...

        Vic.

  2. Steve Davies 3 Silver badge

    Naturally

    What is, however, missing from the debate is what is necessary to provide secure, inclusive technology

    If he told you, he'd have to kill you.

  3. Rikkeh
    Thumb Down

    Can't change them.

    Another unavoidable issue with biometrics is that you can't change them.

    If someone's got your thumb print (or any other biometric) and a reliable way of spoofing it, what are you supposed to do? You can't change it like your credit card number or PIN, so you're left with amputation or stuggling with one of your other digits (where that's something you're allowed to do).

    (My icon: Thumb down, pressing on the keypad at US border control and hoping that it picks up a finger print this time)

    1. ItsNotMe

      Re: Can't change them.

      "Another unavoidable issue with biometrics is that you can't change them."

      Well...most folks carry around 10 digits on the ends of their arms...so getting into the habit of switching which one is being used at any given moment could provide an added measure of security...but I suspect that most people wouldn't want to bother to do that.

  4. Hoe

    Inconvenient and cumbersome?!

    "Usage of PIN-locks on devices is woefully low not because people aren’t interested in securing their data but because the technology is inconvenient and cumbersome.”"

    I think you mean people are feking lazy!?

  5. Anonymous Coward
    Coat

    Crypto-lock idea:

    The pass-code is generated from a EEG of a happy thought.

    - Very difficult to give up the key when subjected to polite police / MI6 / DHS curiosity or robbery.

    - Social media sites and forums would see a drop in winging, improving the worlds general mood.

    - Very inclusive of most people able to operate phones, except the depressed, but you can't please everyone.

    1. Anonymous Coward
      Anonymous Coward

      Re: Crypto-lock idea:

      If your idea were possible, you'd only want to use it for the biggest state secrets around, not for your phone. I really don't want to be in a position where it would be impossible for me to unlock my phone so the criminal doesn't pull the trigger or the spooks don't bring out the rubber hoses.

      1. Anonymous Coward
        Anonymous Coward

        Re: Crypto-lock idea:

        But that's the real trick, if they want to unlock your code they'll need to take you to your happy place.

        Still doesn't rule out rubber hoses though...

  6. 100113.1537

    But biometrics are much better than nothing

    Let's face it, most of us don't use pin code locks on out 'phones because it is very to keep puting them in every time we need to look at the damm thing (5-10 times an hour?). OK, so we are 'too fecking lazy', but that doesn't alter the fact that it would be good to have something simpler and easier.

    Now fingerprint readers are a quick easy way for MOST of us to unlock a 'phone and while I would not store state secrets with just this, how many people who handle stolen phones are going to have the capacity to copy/spoof the fingerprint reader? We don't all have state secrets on our 'phones and a fingerprint reader to unlock them makes more sense that nothing.

  7. Anonymous Coward
    Devil

    Other methods

    You have a camera on your phone then why not Retina scan or Facial recognition?

    I prefer implanting all of you with a RFID chip, or burning a PDF417 code on your forehead - we have to know who you are you see

    1. Expectingtheworst

      Re: Other methods

      Mmm, loosing a finger(s) or an eye.

      I will have to think about that !

    2. Kaffers

      Re: Other methods

      Facial recognition (2D) became obsolete when you could look most people up on social media sites and obtain a picture of their face. How can recognition of a persons face be unique for security when they share it with everyone.

  8. Anonymous Coward
    Anonymous Coward

    Why have they not done this?

    Biometrics: Check

    PINs: Check

    Biometric + PIN: WRU??

    For those who wish to be more secure, a combination of both would be a great option.

    Neither one is absolute. (Phone Biometrics are laughable at best) Having the option to use a PIN, Biometric, or both, seems to be a decent "halfway" point until the biometric technology improves. Even afterwards, it provides an additional layer of security for those who may want it.

    This combines two factors of authentication: "Who you are" and "What you know."

    It maintains Biometrics for those who want the ease of access.

    It maintains PINs for those who don't feel Biometrics are secure enough.

    It would then allow the combination of both, if you want to be even more secure. Not only two factors of authentication, but one unique to you (biometrics) and one which can be changed when desired (PIN).

    Yeah, the current generation of "mass public" readers are woefully insecure. It is better than nothing (unless you are under the impression that you are completely safe using it). Allowing the combination of both (AT THE SAME TIME), provides the security of both. As biometrics become more reliable, you can still have that added security layer of the PIN.

    I don't know.... I just don't understand why this isn't an option (at least it is not with iOS 8.x)

  9. Anonymous Coward
    Anonymous Coward

    hmmm

    I heard it's statistically 10 times more likely that an iPhone terrorist user will be hit with a missile

    (we knew Obama was the last one holding the phone )

  10. Anonymous Coward
    Anonymous Coward

    not so fast

    my young son cracked the iPhone in a matter of hours. how? he figured he would press it against my finger while I slept. total hacker, and it worked!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like