Today, Germany’s Chaos Computer Club claims to have hacked the iPhone 5s Touch ID. Since I now get paid to think about Identity stuff all the time, I’ll think out loud about the question: “Is Touch ID a good idea?”
Let’s assume that:
The CCC isn’t lying.
The crack isn’t trivial; you’re going to need some materials, time, and expertise.
Let’s split our question: First, is Touch ID worthwhile? Second, is it better or worse than a four-digit PIN? [BTW, just because banks use four digits doesn’t mean you have to; I use five and know people who use six.]
BTW, I think it’s fair to say that as of today, Touch ID and Android Face Unlock are qualitatively a wash, security-wise.
Is Touch ID Worth Having? · I’d say yes (cautiously). John Gruber points out that pre-Touch-ID, the most popular iPhone lock method was none, swipe and you’re in. If this changes that, it’s probably worthwhile.
I should note that the CCC disagrees. I’d urge everyone who cares to read their essay on the crack carefully. I quote: “We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token.” Well, yeah... if what you’re mostly worried about is a skilled, determined adversary; such as a government official.
So let’s look at scenarios.
Scenario: Your phone is stolen · I’m thinking that Touch ID and a PIN stack up about equal here. First, because most thieves are after the hardware not the information. Second, because unless you’re really unlucky, you can probably remote-wipe the phone before the bad guys get their act together to replicate the CCC crack.
On the other hand, if you’re James Bond and Goldfinger gets your phone, you’re going to wish you’d done the PIN thing to buy time till you can shoot your way into his HQ.
And if you’re Ed Snowden and the NSA gets your phone, you just know they’re going to put it in a Faraday cage and use better gear than CCC has, so you’re toast either way.
Scenario: You’re arrested · It really depends who arrests you. If it’s the forces of Bashar el-Assad, they’d probably rather torture you for the PIN than do the icky fingerprint-hack work, anyhow.
If it’s the border agents of the US or Great Britain, you have no rights and they can take their time doing the CCC hack, so you’re better off with a PIN. Except for the UK law seems to say that if you don’t cough up the PIN they can throw you in jail for the duration.
If it’s the employees of a reasonably civilized government, chances are they can hold your finger up against the phone accidentally-on-purpose, or alternately use the packaged-for-Law-Enforcement version of the CCC hack which will probably be shipping by year-end 2013 from major vendors. So you’re probably better off with the PIN. This is assuming they don’t have good reason to think you’ve got kiddie porn on the phone, and that you’ve got a good lawyer who’ll get you out before they wear you down.
You may have noticed that the preceding paragraphs rely on a lot of very situationally-specific assumptions. So, the answer is, it depends on who you are, what you do, and where you go.
Me, I’d stick with my 5-digit PIN for the foreseeable future.