Of course it was just a matter of time before Apple’s fingerprint reader was hacked. It’s just impressive that the Chaos Computer Club did it quite so quickly. And it’s a great reminder that using fingerprints as an authentication mechanism is simply a bad idea, especially in the enterprise.
In the words of the club’s spokesman, “We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token.”
Exactly. Do-it-yourself fake fingerprint creation has been possible using gelatin since at least 2003, with Play-Doh improvements made in 2005 and glue enhancements later than that.
Why on Earth would we think that fingerprints are a good authentication mechanism?
The counterargument is that the fingerprint is just a part of a two-factor authentication, and it’s better to have that than only a 4-digit code. I agree with that strategy, but it can also give users a false sense of security — fingerprints are either hackable or they’re not. And fingerprints are hackable.