Should you disable Touch ID for your own security?
Judges in the U.S. have ordered people to unlock their fingerprint-locked phones. Coercion by others remains an issue.
In my very first column in this Private I series, back in October 2014, I raised the spectre of Touch ID being used against you. Approaching two years later, it’s clear that my and other people’s concerns weren’t idle speculations. A court recently required a convicted felon, immediately following her sentencing, to unlock a phone with her fingerprint.
That’s not the first case, and there are likely to be many more. Back just after I wrote my column, a Virginia court agreed that police could demand a man charged with choking his girlfriend provide his fingerprint to unlock his phone. (He was acquitted months later.)
Thomas Fox-Brewster at Forbes, in writing a few months ago about the job-issued iPhone owned by one of the San Bernardino shooters the FBI was trying to unlock, discussed unlocking phones with fingerprints from criminal records and even dead people using sensor-hacking techniques.
(It seemed that courts had more general agreement that someone couldn’t be ordered to provide a password to unlock a device or an encrypted drive, as it would violate the constitutional protected against self-incrimination. But child pornography cases in 2012, 2013, and a current one had judges ordering decryption. Appeals courts opinions have varied, and the Supreme Court hasn’t yet weighed in.)
As opposed to the Department of Justice’s efforts to get Apple to create a custom “GovtOS” that would let the FBI run unlimited passcode-unlocking attempts against an iPhone, these cases seem a lot more straightforward. Someone is charged with a serious crime, potentially from a grand jury (as with the strangulation case), or has already been convicted. Or is…dead.
Changing your behavior or the phone’s
The government’s interest in obtaining information related to the commission of a crime or the intent to commit one would seem to have clear, compelling public interest without the unpleasant side effect of worsening privacy for a billion or more people.
Not all governments are just, however, and not everyone who wants you to unlock your phone is a legitimate, legal agent. If you currently use Touch ID and you live in or plan to travel to a country in which the rule of law regarding human rights and personal liberty is on the low end of the scale—or you’re concerned that you could be physically forced to unlock your phone, but you’d never give up your passcode in any case—you can change how your iOS device is locked.
Touch ID can be active and yet disabled for unlocking in a variety of ways:
Forty-eight hours after the last time you unlocked your iPhone or iPad with Touch ID or a passcode, Touch ID is disabled until the phone’s passcode or password is entered again. (In some of the cases in which a judge ordered an arrested party or convict to unlock a phone, the timeout had long since occurred.)
After an iOS device is powered down and back up or force restarted, Touch ID can’t be used until the passcode is entered. Some people routinely power cycle their phone before bed; others power the phone down if they expect trouble.
Touch ID is disabled after five unsuccessful attempts to unlock with a fingerprint. Tapping incorrectly several times, especially with an iPhone 6, 6 Plus, 6s, or 6s Plus, effectively locks the phone, too.
Some security experts have suggested Apple and other phone makers could have a “panic fingerprint”: You could set one of your fingers as a lock or wipe option, and no one attempting to force you to unlock the phone would know which finger it is.
If all of this has persuaded you to walk away entirely from Touch ID, it’s critical to remember that numeric codes are now considered relatively easy to break, whether by criminals, forensics firms, security agencies, or police departments.
Instead of a very weak four-digit code, or a strong but still crackable six-digit one, set a long, easy-to-remember password. I now use one that employs multiple words and some simple punctuation. It’s easy for me to remember, and relatively fast for me to enter.
I’m still using Touch ID. The convenience outweighs my concerns as I’m neither an activist nor living in a country in which I’m concerned at the moment about my door being kicked in by national police in the middle of the night. (If you’re a criminal of the generally accepted variety, like a burglar, I recommend making it easy for the police to gain access to your phone.)
But it’s not difficult to modify your behavior or give up on this ostensibly key feature of newer iPhones and iPads if it doesn’t suit your own risk profile or just your level of comfort about how your device could be unlocked.