Apple Inc.'s inclusion of the Touch ID fingerprint scanner in the recently announced iPhone 5s is, in many respects, nothing new.
"We have seen many laptop vendors try to use fingerprinting as a way to protect information stored on their mobile systems," noted Dan Blum, principal consultant and chief security architect at Respect Network.
However, such efforts have largely failed to gain much traction, and the question in security circles is whether Apple's somewhat different approach -- foregrounding device access rather than broader system access control -- will change the game. "Most biometric systems have been designed to prevent unauthorized individuals from accessing sensitive information rather than providing users with simple access to their own information," stated C. Maxine Most, principal at Louisville, Colo.-based Acuity Market Intelligence, a biometric market research firm.
Most added that AuthenTec, a startup biometric company Apple purchased in 2012 for $356 million, was trying to build a user-centric fingerprinting system. That focus, along with Apple's previous product successes, generated significant buzz. "Apple is great at designing user interfaces, which have been a significant limitation with many biometric systems," Most said.
If Apple delivers a biometric system that is easy to use, employees will embrace it, and enterprise security managers may sleep more soundly at night. Ever since smartphones became cool with the release of the first iPhone, security teams have struggled to balance employees' desire to use the devices for work with executive mandates to ensure corporate data is secure.
Companies put policies in place to safeguard information, but employees often ignore them. They will only rely on a security system that is simple to operate and does not make more work for them. Theoretically, that may be the case with Touch ID. "The early reviews are that the Apple system is intuitive," said Respect Networks' Blum.
If employees adopt it, enterprises can rely less on common security checks, like the iPhone's default four-number password system, which can be more easily broken. Consequently, corporate data would be better protected, at least in theory. "Apple hasn't provided many details about how its biometric system will operate," said Joe Schumacher, security consultant at Chicago-based consulting house Neohapsis Labs.
By itself, Touch ID is of no use to enterprises. "Biometrics is an identification system, not an authorization system," stated Gene Meltser, technical director of Neohapsis Labs.
Once the user is identified, authentication becomes possible only if the biometric system is tied into other security applications. "As of now, Apple has not announced any APIs [application programming interfaces] that third parties can use to connect their biometrics information to other applications," Blum said. "There also hasn't been any third-party support for the system."
The lack of hardware and software ecosystems has been another reason why biometrics has been slow to take hold. Currently, these systems are based largely on proprietary technology, which makes it difficult for third parties to support and businesses to integrate into their security systems.
Apple's entry may not change that equation. To date, the vendor has been an outlier from the technology mainstream, where vendors have increasingly been adopting open, standards-based solutions. "Apple has kept its iTunes and other systems closed and held a tight grip on add-on development," Neohapsis Labs' Meltser noted.
Apple has said nothing definitive on the API front, but the initial signals are that they will again retain a great deal of control. "I don't think Apple wants to open up much of its scanning system because it is afraid new security holes will emerge," Schumacher said.
Standards-based approaches could come from a couple of other sources. "Google has been working on a biometric system," Blum said. Unlike Apple, the company has been open with the design of its operating system.
In addition, vendors are trying to develop standard authentication solutions. Formed in July 2012, the Fast Identity Online (FIDO) Alliance has been working to develop security standards for non-password systems, such a biometrics and security tokens. Apple is not a member, but FIDO membership has swelled to about 40 companies, including Blackberry Inc., Google, LG and PayPal.
In the near term, Apple has turned chief security officers' attention toward biometrics. Whether it alone delivers a system to open up the marketplace is unclear; however, there seems to be enough interest in the technology that it may take root with or without Apple taking the lead. "In 18 months, I expect that businesses will have better mobile biometric solutions at their disposal," Most predicted. And security managers will have Apple to thank for -- at the very least -- getting that ball rolling.
About the author:
Paul Korzeniowski is a freelance writer specializing in security issues. He has been covering technology for more than two decades, is based inSudbury, Mass., and can be reached at firstname.lastname@example.org.