How secure are smartphone fingerprint readers?

NatWest and the Royal Bank of Scotland are allowing customers to access their bank accounts online using fingerprint recognition rather than a password.

From tomorrow, customers with an iPhone 5s, iPhone 6 and iPhone 6 Plus will be able to access their bank account online using Apple's Touch ID fingerprint sensor.

But how safe is the technology?

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Since it was introduced two years ago, it has "proven to be one of the best fingerprint scanning implementations available", says The Guardian.

The detection ring, built into the home button, already features on the latest Apple iPhones and iPads, enabling users to unlock their devices and verify iTunes and App Store purchases using their finger or thumb. Other third-party apps, such as Evernote and Dropbox, have also adopted the technology.

Yet, when it first launched on the iPhone 5s in 2013, it took a biometrics hacking team from Germany's Chaos Computer Club just a day to bypass the security by replicating a fingerprint left on a glass surface.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," stated the group. "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

Ben Schlabs, from the German hacking think tank SRLabs, said the security implications for the new banking apps are the same. "It is just as dangerous," he told the BBC.

Nevertheless, Schlabs admitted he did not know of any actual crimes being enabled by the Apple's Touch ID fingerprint sensor.

Even Marc Rogers, principal security researcher at Lookout, who also hacked Touch ID, says he still thinks it is "awesome" technology. Exploiting the sensor's flaws relies on a "combination of skills, existing academic research and the patience of a crime scene technician", he says, suggesting it is so complicated that most criminals wouldn't bother.

Rogers does, however, suggest that Apple introduce two-factor authentication, such as a fingerprint and a password.

But it appears that RBS and NatWest – who are introducing the technology specifically to make digital banking "even easier and more convenient" – might be reluctant to set further security hurdles for their customers.