22

By not accepting my fingerprints and asking for passcode, how is it more secure? I believe checking fingerprints is a more secure way as compared to entering a passcode.

one
  • 1,781
  • 3
  • 18
  • 45
  • FYI Android does the same. – David says Reinstate Monica Oct 12 '16 at 18:41
  • 6
    I would like to add to the other answers that there is a legal reason for the iPhone to require a password in addition to a fingerprint. In the US, the 5th Amendment of the Constitution allows a defendant to decline to procure a password but does not prevent a court from compelling a defendant to provide a fingerprint to unlock a phone. Therefore in a legal sense a password is more secure than a fingerprint. – Reinstate Monica Oct 12 '16 at 20:24
  • 2
    related: http://security.stackexchange.com/q/134392/36633 – David Starkey Oct 12 '16 at 20:50
  • 1
    As a purely UI related comment, I think prompting for semi-regular password entry helps you remember and recall the password. If you only used fingerprints for a long time, and then had (a hand related accident, a reason to talk someone else through unlocking, a feature which required a passcode like the OS upgrade) you might not remember it. – TessellatingHeckler Oct 12 '16 at 22:46
  • Anyone can take the phone and slide your finger across it to unlock it. Say if you're sleeping / arrested. – Andy Oct 13 '16 at 00:00

2 Answers2

41

Since iOS 8, full disk encryption is enabled by default and the passcode is used as key (paired with some secret kept in the phone's HSM so offline bruteforcing is not possible, making it relatively secure even with only a numerical code).

For FDE to work we need something consistent as a key. A passcode fits the bill perfectly, it either matches or doesn't. You also do not need to know the code itself to be able to tell if the entry is correct - an one way hash will still tell you whether the entry was correct while making it extremely difficult to reverse the process and get the code from the hash.

A fingerprint on the other hand is never an exact match. It's always fuzzy and there is a tolerance percentage under which the fingerprint is considered matching, otherwise it's not. Since it's never quite consistent most hashes we use for passwords are out of the way so you have to keep an entire picture of the fingerprint to be able to tell whether the fingerprint is correct, so if someone gets that data it's trivial to make a fake print based on that, whether as with passwords you'd have to bruteforce the hash before you get the actual password.

This also means a fingerprint can't be used as a key for FDE, because it will always be a little different on each scan, or, if the fingerprint image is kept somewhere unencrypted for comparison before revealing the real FDE key then it's insecure because an attacker could just obtain that real key right away (using hardware attacks, exploits, etc).

This is the reason why a passcode is asked on first boot. It decrypts the data partition and keeps the key cached in RAM, where on subsequent unlocks the partition is already mounted and decrypted, and the lock is purely a software restriction. It would also make sense for the phone to keep fingerprint data on the encrypted partition, which means at boot the phone has nothing to compare your fingerprint against to tell if it's correct or not.

Finally fingerprints are not more secure than passwords because you leave them on everything you touch.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 2
    Yup on start up you can't use the fingerprint to log in because it literally can't. It doesn't have the information to unlock the device. It also requests the pin/password every week and after being left idle for ~24h as an added security feature. This is because in some countries the legal protection against being required to unlock your phone with your finger print is different or unclear when compared to being required to unlock it with a pin/password. – Evan Steinbrenner Oct 12 '16 at 19:48
22

@AndréBorie gives the correct technical reason why a passcode is required for full disk encryption.

I want to dispel the myth that fingerprint is more secure than passcode. This is a dangerous - yet surprisingly common - misconception. If your goal is to prevent your kid sister from getting into your phone, or you want to increase your security a bit without too much inconvenience, then sure, use fingerprint, but let's not pretend that it gives you any real security. Reasons:

  1. You don't go around leaving copies of your password on everything you touch. Experienced iPhone hackers can lift your print off something (like the screen of your device) and get into your phone using only a dental mold, some play-dough, and about 5 minutes of trial and error. Some hackers have even demonstrated this using a hi-res photo of a politician's hand taken at a press-conference. [source]

  2. When your password gets cracked or compromised, you can change it. Yau can use a different password for every account or device. Fingerprint, not so much.


Sources: here are the first 4 hits when I google "iphone fingerprint hack"

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 2
    This is the scariest deal. I got to find out first hand when my cousin (10 y/o at the time) with her science fair project ("how fingerprints are unique"), was able to get in. Them youngins these days learn very quickly, but it just goes to show that anyone can follow basic instructions and get into your device. –  Oct 12 '16 at 20:32