Apple’s fingerprint reader missing one special touch

Apple’s fingerprint reader missing one special touch

Summary: Is the new Touch ID edition going back to its roots and prepping for a much bigger authentication goal beyond Apple's walled garden?

SHARE:
TOPICS: Security, Apple
8

Cheers to Apple for opening up its Touch ID fingerprint reader to developers, which was one of the missing links to realizing the value of the biometric technology.

But Apple is still without one important piece that would position its iPhone as a strong authentication device for secure access to both consumer and enterprise Web applications. A piece that could give users more control over their credentials, and get retailers and others out of the password business while subtracting personal data out of back-end servers where lately it has been a sitting duck. And it’s a piece the iPhone-rival Samsung Galaxy S5 shipped in April.

That piece? The inclusion of FIDO Alliance protocols, which provide a standard infrastructure for multi-factor authentication and align with an emerging federated identity architecture for the Web. FIDO adoption would allow Apple to come out and play — and authenticate — with the rest of the world’s services, apps and wearables that live beyond the App Store.

The major milestone here for consumers and enterprises would be replacing a collection of usernames/passwords with a more secure alternative, including multi-factor and multi-attribute authentication.

FIDO, short for Fast Identity Online, is an alliance formed in July 2012 to address strong authentication and reduce the use of passwords through a combination of hardware, software, and services.

In general, FIDO gives devices such as smartphones a much more central role in authentication and uses cryptographic methods to pass information to back-end servers so log-in data is neither sent over the wire or stored on the back-end.

That should sound a bit like the Touch ID plans Apple announced this week, only Apple’s version is walled off in its locked Apple garden. The new Touch ID acts like a password manager, unlocking passwords stored in the system with the “master password" (e.g. fingerprint). This architecture, however, does not mitigate the risk of hackers lifting copies of those passwords that are stored on the service-provider’s end.

Apple’s Touch ID architecture also sounds familiar because one of the original FIDO founders is AuthenTec, the biometric vendor was bought by Apple in 2012 and is the foundation for Touch ID. AuthenTec withdrew from the FIDO Alliance the day Apple agreed to purchase the company.

“The guys who built the (AuthenTec) sensors were thinking along these lines,” said Michael Barrett, president of the FIDO Alliance. And that connection gives Barrett confidence that he will one day see Apple in the FIDO fold.

If Apple were to take the FIDO plunge, it would establish its handset as a strong authentication end-point, it could boost security around web-based and enterprise apps, and it would extend those security benefits across all FIDO-enabled applications.

“Obviously Apple has a nice market penetration, but it doesn’t own the handset market and it doesn’t own the mobile market,” said Barrett. “You not only need a local API for applications to know if the device is properly authenticated, but you need a remote API which is exactly what the FIDO protocols are.”

FIDO software installed on a device securely communicates between an authentication mechanism, in this case a fingerprint sensor, and a FIDO-enabled service in the cloud.

In order for FIDO to prosper, web-based services and apps would have to load FIDO on their servers and get end-users (or Apple, Samsung, etc.) to do the same on their devices. Alternatively, Web and mobile developers could build the software into applications.

Samsung users are already there. As are FIDO board-level members including Bank of America, Discover, Google, Microsoft, MasterCard, and Nok Nok Labs along with another 100 engaged members.

FIDO technology is designed to work with Web browsers and Web-based applications. The two FIDO protocols leverage existing device hardware such as TPM chips, Near-Field Communications and One-Time Passwords, along with biometric devices such as fingerprint readers, microphones, and cameras to support multi-factor authentication.

Barrett says what Apple is doing is good for security even just judging by the number of users who now lock their phones with Touch ID. Apple said this week at its Worldwide Developers Conference that 83% of iPhone 5S owners use Touch ID to lock their phones. Previous to Touch ID, only 49% locked their phones.

“It would be ideal if Apple supported the FIDO protocol,” said Barrett. But he said it doesn’t appear there is anything stopping FIDO members from embedding the Apple Touch ID API into their FIDO client software. That would allow devices to talk both FIDO and Touch ID. Test work among FIDO members is already underway.

“Apple can continue to differentiate with its integration on the phone, with its sensors and its environment, meanwhile FIDO can continue to solve the problem of remote authentication for services in the cloud,” said Barrett.

Given Apple’s history of developing new features, it is quite possible that the iPhone 5S Touch ID was the test case/bug hunt in a small controlled environment, and that the developer API is now a Phase 2 for large-scale QA with an expanded user and application base. A next phase, FIDO adoption perhaps, could be the ultimate goal realized. 

“We are in this interesting place,” said Barrett. “It is quite credible that there could be hundreds of millions of FIDO-enabled devices in the market by the end of this year. Authentication in 2015 could look rather different and that is a great thing.”

(Disclosure, my employer is a sponsor-level member of FIDO).

Topics: Security, Apple

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Is FIDO a dead dog walking?

    Why should Apple validate an alliance they're unlikely to need?

    Samsung may need it to distract from the fact their fingerprint swipe doesn't work very well, Apple and Touch ID will be just fine on their own.
    Englishmole
  • Apple knows better

    Apple is doing exactly the right thing. It's Touch security is so much better than the alternative. And it is making sure that it is fully developed before it rolls out access for 3rd parties.
    The cheap copy that Samsung shipped is exactly that, a pale imitation.
    saoir
  • Does Apple or FIDO care about a Trusted Source?

    How does Apple or FIDO know you are the person that is authorized to access that phone? Or the 3rd party applications (apps) that are accessed through the phone?

    The fingerprint sensor? Well, what if that fingerprint sensor isnt very accurate? What if its spoofable because the technology doesnt use enough data to authenticate the user with a high degree of assurance. Given both Apple and Samsungs fingerprint sensors were spoofed within a day of release, its clear that the "phone" cant know its you putting that finger on the sensor. This, by default, means that the app and related service provider cant know it you.

    Do these people realize that the algorithm driving the fingerprint match can be tuned toward convenience (low accuracy) so as to avoid a poor user experience. If the fingerprint sensor doesnt recognize the true user 25% of the time, that user cant get on the phone via the sensor 25% of the time. If its then tuned to reduce that inaccuracy, it elevates the possibility of an unauthorized access......to the phone and apps.

    The "device centric" model, where the identity associated with the phone is presumed to be trusted if flawed if you cant trust the technology to guarantee its you.

    By associating a "trusted source"...a "root source" of user identity data at user enrollment on the phone and app, both Apple and FIDO would mitigate significant risks associated with a model that relys on less than stellar fingerprint technology.

    As they stand now, they really just pass risk onto the 3rd party service provider, who must specifically choose to TRUST that sensor or phone have not been spoofed.
    JayMMe
  • Arrogance of Apple

    The computer industry is littered with once dominating giants who got too full of themselves. Apple is there right now. The tech industry is going to pass them by and they will be too slow to see it in time to respond. This is simply one more example. Apple pretends as if the rest of the tech world does not exist.
    larsonjs
    • Really? Because when I look around

      I see companies fail because they lost the ability to make things people wanted to buy. Although, in today's economy, that doesn't matter so much anymore. As long as you have the correct political connections.
      baggins_z
  • One exception

    The only exception of Apple's pretending the rest of the tech world does not exist is to sue others!
    larsonjs
  • Reference to NFC

    I saw the description include NFC as a hardware element. Is that optional or mandatory, because I don't think Apple is ever going to do NFC.

    Though had I bet on some Apple nevers, May and June would have been expensive months.
    DannyO_0x98
  • FIDO implementation for Touch ID

    Following on from some of the previous comments. The alternative to the FIDO approach is for Service Providers to do separate integrations to different hardware implementations on a device by device basis. This is not an attractive approach for a Relying Party - full disclosure, I work for a FIDO Alliance member.

    You can find more information on a potential Touch ID/FIDO implementation here:
    https://www.noknok.com/what-they-say/blog/apple-touch-id-app-for-mobile-fingerprint-authentication
    jcowper