I'm sad it seems most likely the 5S will be fingerprint OR pin/passphrase to unlock. I can imagine situations at borders or in interactions with police where compelling a fingerprint swipe is physically easier than compelling a passphrase entry, and I think it is also legally easier to compel later.
The ideal would be a 4-8 digit numeric PIN with strong "10 tries and it dies" plus fingerprint, and as a backup, a full length desktop-style passphrase (iCloud passphrase). And maybe some kind of "only works on pre-authorized devices" enrollment system requiring the passphrase to generate local keys, too.
OK everyone, walk back from that ledge. Someone with the resources and motiviation to drug/kidnap/kill/amputate to get access to a biometric scan is going to be well-equipped just to steal the device and read the flash out via JTAG.
Screen locks do not provide meaningful security vs. a determined attacker, and never will no matter what the unlock mechanism is. Unless you encrypt all storage with a strong password (not a 6-digit PIN) and a good PBKDF, all you get from this stuff is protection against casual snooping.
Or it's just the cops, and unlike a password or pin or pattern, they can actually physically force your authentication out of you with a single finger press.
Theoretically you can do some liveness checks (work better on retina/iris than on fingerprint), but basically everything related to fingerprints is easy to forge outright, let alone making a dead man's finger appear live.
Every time fingerprint scanners are mentioned, people start talking about cutting off fingers. Guess what: the people making the scanners have considered this scenario. All of their clients have nagged them about it continously for decades. It's fun to talk about, but it won't work.
I want to be able to set, at my option:
1) PIN-only
2) FPR + PIN (where you must use iCloud to get in if your FPR doesn't read)
3) for morons, FPR only.
I currently use a much stronger than 4 digit numeric PIN, but it is honestly a pain. If I could set both the FPR and PIN as required to get in, I could use a shorter PIN. If I'm allowed to bypass the FPR entirely, the PIN has to remain as strong as it is now.
(What I'd also like is something better than hardcoded timeouts for requiring the PIN. Like "require FPR every single time you unlock, require PIN+FPR if it has been <30 minutes or <120 minutes but no movement on accelerometer OR connected in my car, require FPR+icloud passphrase otherwise". Fully configurable by the user.)
His tweet doesn't confirm or reject your #2 (just that PIN is available as an option), so just relax and wait to see. I mean, I doubt they'd implement FDR + PIN like you want (cause it seems a minority wish?), but it's still possible.
Only for morons is way harsher than I'd put it, but fundamentally it's a difficult to inspect security system that's based on a potentially vague analog signal.
In the security world, things which are novel are not to be trusted. The security of a system is measured in how many serious researches have attacked it, and to what degree they succeeded.
I expect that there are solid biometric security standards that have been subject of serious analysis and attack. If it turns out that Apple's implementation uses one of these standard and tested solutions then I think I'd trust it in place of a PIN. In the absence of that evidence, the Properly Paranoid position is the skeptical one.
A quote from Babbage in 1864 is apropos: "One of the most singular characteristics of the art of deciphering is the strong conviction possessed by every person, even moderately acquainted with it, that he is able to construct a cipher which nobody else can decipher."
Because compelling someone to give you a fingerprint is pretty easy, and could be done trivially at a border, or incident to arrest or detention, or by anyone willing to use a modicum of physical force.
Plus, since liveness checks are weak, anyone with access to anything containing your prints. I suspect at the next Defcon there will be a fun challenge to defeat it given a print lifted from a glass using $5 in supplies in 30 minutes. And then at the Defcon after that, the same contest will be in the children's area.
Imagine someone knocks you out and takes your phone. Use finger (possibly still attached) to authenticate. Profit.
So not really a good idea.
I rather have the option of unlocking the phone via PIN, then have the option of sending a FPR hash to a site of my choice. Speaking of which, I wonder if they salt or provide some other way of sending unique hashes to different web sites or is this now the equivalent of using a fingerprint as the same password for all sites.
Which is worse, since you can't really get a new finger (well, you get 19 more resets including toes) since your print is somehow compromised (website leak, etc.)
I read a liveblog of the presentation, and they only mentioned using it to unlock the phone and to purchase from the iTunes store. I don't think it's usable for random websites.
The ideal would be a 4-8 digit numeric PIN with strong "10 tries and it dies" plus fingerprint, and as a backup, a full length desktop-style passphrase (iCloud passphrase). And maybe some kind of "only works on pre-authorized devices" enrollment system requiring the passphrase to generate local keys, too.