When Apple announced the forthcoming iPhone 5S will have a fingerprint unlock mechanism, cynics were, to say the least, skeptical about the security implications. Apple is now on a PR offensive to reassure potential users.
In a statement to the Wall Street Journal, Apple reiterated that at no point does the device store an image of the fingerprint itself, and that no image is sent to any remote server.
Instead the scanner immediately converts the view of the fingerprint into a set of identification data — in other words, a bunch of 0s and 1s. This data is encrypted and stored directly inside the phone’s processor. Apple goes as far as to call the storage location a “secure enclave.”
The identification data never leaves the phone, nor is it copied. Apple also says that even if somebody was able to get access to the chip and decrypt the data, they wouldn’t be able to use it to recreate the fingerprint itself.
The set-up means only the sensor itself is able to access the identification information. There’s no access by other Apple software or by third-party apps.
Although the general comments Apple has made suggest the answer is no, the company hasn’t answered specific questions on whether the National Security Agency has any access to the identification data.
Apple has also noted an added layer of protection. Users must still create a passcode (similar to that used on existing models) when they set up the fingerprint recognition. If the phone is rebooted or hasn’t been unlocked for at least 48 hours, the user must use the passcode instead of a fingerprint.
The downside there is that, unlike with a normal phone, you won’t be typing that passcode regularly. That means that if after a few months you either reboot the phone or don’t use it for a couple of days (for example if you go on a lengthy break and forget to take a charger), you may be stuck trying to remember a code you created some time ago.
Apple has also noted that although the fingerprint scanner is far more reliable and accurate than the ones used on some previous devices, it may still struggle if your finger is sweaty or you’ve used a lotion. It might also not work if you have a scar on a finger, though you can use any finger as the identification, so that’s only an issue if you get the scar after setting up the phone.