My finger is my identity
But even this kind of two-factor authentication has a major flaw: There's still no guarantee that the person in possession of the phone is the rightful user. iPhones get stolen all the time, and an iPhone not protected by a passcode is a treasure trove to the thief--especially if it contains passwords for other services.
Enter biometric signatures, such as fingerprints. Rather than being something the user owns, these factors establish something the user is. A website or app that requires a user to provide all three types of factors in order to log in successfully provides strong protection against fraudulent attempts at user impersonation: Even if thieves managed to steal a handset that is completely unprotected and readily surrenders the user's passwords, they would still presumably be unable to complete the necessary authetication in the absence of the victim's fingerprints.
Biometric authentication could be used to "pair" a device with its owner in such a way that the device could be unlocked only when the right finger touched the scanner's sensor. This requirement could put a dent in the market for stolen iPhones, which has helped make handset theft a major crime of opportunity in many metropolitan areas.
Safety and privacy
Benefits aside, adding biometric capabilities to the iPhone would raise a number of privacy concerns--chief among them how Apple would keep a database of user fingerprints safe from prying eyes.
Luckily, most current biometric scanners reduce the individual features of a fingerprint to a digital signature calculated by using a one-way algorithm. As a result they don't store or transmit the prints in photographic form, and a person in possession f the digital signature can't reverse-engineer the characteristics of a particular finger from that signature.
Thus, Apple could easily establish a database of fingerprints without storing the fingerprints themselves; and by encrypting them in a unique way before passing them along to app developers (with the user's consent, of course), the company could further protect the privacy of its users by ensuring that a fingerprint signature obtained by a particular developer or website couldn't be stolen and reused with a different service.
Of more practical concern is whether thieves will find ways to extract serviceable fingerprints from their victims. After all, the hosts of the popular reality show MythBusters were famously able to defeat a biometric lock using nothing more than a photocopy of the victim's fingerprint lifted from a CD. Other hacks have involved using a piece of gummy candy to duplicate a fingerprint.
And since the presence of the entire user isn't necessary to scan a print, some people worry that criminals might separate users of the new iPhone from their appendages in order to defeat the fingerprint authentication requirement.
Sign up for Computerworld eNewsletters.