That's what the Chaos Computing Club did. After digitizing and enhancing a latent fingerprint, the group printed it out on a transparency and created a mold using wood glue. A 2008 episode of "MythBusters" described a similar method. In other words, it takes some skill, and you have to be highly motivated.
But the larger point is that fingerprint readers, without another authentication factor, are really more about convenience than strong authentication.
People don't like entering passwords, PINs, or really anything else that slows them down for one second. In the near future, I suspect the pervasive authentication scheme will be something that allows immediate access when the legitimate user interfaces with the device. I'm not sure if it will be voice recognition, DNA comparison, or what, but hopefully one day, we will make strong authentication easy and less cumbersome. Until then, we have to live with what we have.
A short PIN, with a lockout or wipe threat, is more secure than a fingerprint alone. The fingerprint reader is unlikely to have a lockout or wipe threat because fingerprint readers are also notorious for false-negative readings.
For security purposes, all biometric readers should always be paired with another authentication factor, like a short PIN, and should not accept biometric proofs that were identical to the last verifier. If you add those two requirements, I can at least accept biometrics as a stronger authentication factor.
There are two other caveats to remember around biometric IDs. First: What do you do if your biometric identity is compromised? For example, suppose someone steals your fingerprint using the Chaos Computing Club's method and uses it to log on as you. What are you supposed to do now? How do you repudiate your valid fingerprint? One answer is to use another finger, unless the bad guys get all your fingerprints. Another obvious answer is to turn off the biometric identity and use something else more secure, like your PIN -- or require a PIN along with the biometric verifier.
Last but not least, remember that most successful exploits don't care whether you logged on using a PIN, password, or biometric identity. That's because they hit you and your computer after you've successfully authenticated. (Think Trojan horse program or computer virus.) Many attacks don't care if you've logged on. (Think remote buffer overflow.)
If biometric identities were really the answer to putting down computer crime, we would have long ago all implemented whatever worked. We'd all have fingerprint readers by now. But biometric identities solve just a little bit of the problem and come with their own issues.
This story, "Why hacking the iPhone 5s fingerprint reader is no big deal," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.