Cheers to Apple for opening up its Touch ID fingerprint reader to developers, which was one of the missing links to realizing the value of the biometric technology.
But Apple is still without one important piece that would position its iPhone as a strong authentication device for secure access to both consumer and enterprise Web applications. A piece that could give users more control over their credentials, and get retailers and others out of the password business while subtracting personal data out of back-end servers where lately it has been a sitting duck. And it’s a piece the iPhone-rival Samsung Galaxy S5 shipped in April.
That piece? The inclusion of FIDO Alliance protocols, which provide a standard infrastructure for multi-factor authentication and align with an emerging federated identity architecture for the Web. FIDO adoption would allow Apple to come out and play — and authenticate — with the rest of the world’s services, apps and wearables that live beyond the App Store.
The major milestone here for consumers and enterprises would be replacing a collection of usernames/passwords with a more secure alternative, including multi-factor and multi-attribute authentication.
FIDO, short for Fast Identity Online, is an alliance formed in July 2012 to address strong authentication and reduce the use of passwords through a combination of hardware, software, and services.
In general, FIDO gives devices such as smartphones a much more central role in authentication and uses cryptographic methods to pass information to back-end servers so log-in data is neither sent over the wire or stored on the back-end.
That should sound a bit like the Touch ID plans Apple announced this week, only Apple’s version is walled off in its locked Apple garden. The new Touch ID acts like a password manager, unlocking passwords stored in the system with the “master password" (e.g. fingerprint). This architecture, however, does not mitigate the risk of hackers lifting copies of those passwords that are stored on the service-provider’s end.
Apple’s Touch ID architecture also sounds familiar because one of the original FIDO founders is AuthenTec, the biometric vendor was bought by Apple in 2012 and is the foundation for Touch ID. AuthenTec withdrew from the FIDO Alliance the day Apple agreed to purchase the company.
“The guys who built the (AuthenTec) sensors were thinking along these lines,” said Michael Barrett, president of the FIDO Alliance. And that connection gives Barrett confidence that he will one day see Apple in the FIDO fold.
If Apple were to take the FIDO plunge, it would establish its handset as a strong authentication end-point, it could boost security around web-based and enterprise apps, and it would extend those security benefits across all FIDO-enabled applications.
“Obviously Apple has a nice market penetration, but it doesn’t own the handset market and it doesn’t own the mobile market,” said Barrett. “You not only need a local API for applications to know if the device is properly authenticated, but you need a remote API which is exactly what the FIDO protocols are.”
FIDO software installed on a device securely communicates between an authentication mechanism, in this case a fingerprint sensor, and a FIDO-enabled service in the cloud.
In order for FIDO to prosper, web-based services and apps would have to load FIDO on their servers and get end-users (or Apple, Samsung, etc.) to do the same on their devices. Alternatively, Web and mobile developers could build the software into applications.
Samsung users are already there. As are FIDO board-level members including Bank of America, Discover, Google, Microsoft, MasterCard, and Nok Nok Labs along with another 100 engaged members.
FIDO technology is designed to work with Web browsers and Web-based applications. The two FIDO protocols leverage existing device hardware such as TPM chips, Near-Field Communications and One-Time Passwords, along with biometric devices such as fingerprint readers, microphones, and cameras to support multi-factor authentication.
Barrett says what Apple is doing is good for security even just judging by the number of users who now lock their phones with Touch ID. Apple said this week at its Worldwide Developers Conference that 83% of iPhone 5S owners use Touch ID to lock their phones. Previous to Touch ID, only 49% locked their phones.
“It would be ideal if Apple supported the FIDO protocol,” said Barrett. But he said it doesn’t appear there is anything stopping FIDO members from embedding the Apple Touch ID API into their FIDO client software. That would allow devices to talk both FIDO and Touch ID. Test work among FIDO members is already underway.
“Apple can continue to differentiate with its integration on the phone, with its sensors and its environment, meanwhile FIDO can continue to solve the problem of remote authentication for services in the cloud,” said Barrett.
Given Apple’s history of developing new features, it is quite possible that the iPhone 5S Touch ID was the test case/bug hunt in a small controlled environment, and that the developer API is now a Phase 2 for large-scale QA with an expanded user and application base. A next phase, FIDO adoption perhaps, could be the ultimate goal realized.
“We are in this interesting place,” said Barrett. “It is quite credible that there could be hundreds of millions of FIDO-enabled devices in the market by the end of this year. Authentication in 2015 could look rather different and that is a great thing.”
(Disclosure, my employer is a sponsor-level member of FIDO).