Apple's Touch ID doesn't match enterprise security's fingerprint

Apple's Touch ID doesn't match enterprise security's fingerprint

Summary: Limited uses, no access for developers among limiting factors for enterprise security consideration.

TOPICS: Security, Apple, iOS, iPhone

Apple's new iPhone 5s Touch ID feature is poised to do more for device locking and the advancement of biometrics than it will for enterprise security.

Touch ID, a biometric authentication device, hidden in Apple's old-style hardware/software dungeon, is more of a consumer play than it is an enterprise security feature.

With Apple confirming that third-party application developers are walled off from the iPhone's new authentication method, the likely win for enterprises is that more of their BYOD users will lock their phones thus protecting the applications and data contained on them.

In terms of biometrics, Touch ID could ignite mass acceptance among consumers who will carry their enthusiasm and demands to the workplace.

Earlier this week, I talked about wearable computing potentially finding its killer app (authentication), in this case, biometrics may have found its killer host.

But all enterprise security architects and identity and access management (IAM) pros have found is another wait and see attitude.

"Good for consumers, nothing for enterprises. Same old Apple," said Gunnar Peterson, managing principal at the Arctec Group. "That doesn't mean they won't enable something useful for enterprise down the road, but I am not holding my breath."

From an enterprise perspective, Apple needs to allow third-party cloud and enterprise app developers to incorporate the feature. And Touch ID needs to open up to integration with enterprise single sign-on features of iOS7 and standards-based cloud and enterprise IAM systems.

Without those additions, the enterprise sleeps a little easier knowing more employees are locking phones, but it gets no other real tangible benefits to hang ROI on.

Enterprise security pros need to see under the covers, and Apple isn't lifting them. Let's face it, Apple isn't known in the enterprise for its security tools so a relationship still needs to be forged.

For Touch ID to have serious impact, it needs to integrate with back-end IAM systems that enterprises have already spent millions to develop. It needs to be a factor in authentication to all applications.

Apple said yesterday that Touch ID comprises the most advanced hardware and software it has put in any device, but it has missed the IAM industry's advancement toward openess and standards.

Touch ID also is not a two-factor authentication system itself, but should be part of one. In fact, it will be pressured, by end-users and enterprises, to integrate with many two-factor authentication systems that have become de facto options for services like Google, Amazon Web Services and Dropbox, and for key developer outposts like GitHub.

Perhaps Touch ID's best chance is to align with the FIDO Alliance, which is focused on strong authentication and talks about a finger-sensor option paired with FIDO protocols under development. The Alliance aspires to provide plumbing protocols for biometric authentication at scale for cloud-based services.

Beyond Touch ID, Apple also touts other business benefits of the iPhone's iOS7 operating system. The company says those benefits provide "new ways to configure and deploy devices at scale, and features to help businesses purchase, distribute, and manage apps with ease." The pieces include mobile device management, enterprise single sign-on (SSO), and per app VPN.

But even here, Apple has gaps. Its enterprise SSO appears to be based solely on the Kerberos protocol, which is already supported in the iPhone. But while Kerberos based SSO is fine for employees accessing on-premises applications, it's not so useful for access to SaaS applications and therefore not a good fit for hybrid enterprise cloud architectures.

There is rumor that Apple's enterprise SSO may support the venerable Security Assertion Markup Language (SAML), used today for federated identity management, and OAuth, an emerging authentication federation protocol finding favor in the cloud.

With Apple obviously focusing on the client side, it will need such standards support if it is to integrate with current server-side components that are being used by cloud services and enterprise identity architectures.

Touch ID may point to Apple getting into the enterprise ballpark, but for now, its chances are slim for getting into the enterprise security lineup.

See also:

Topics: Security, Apple, iOS, iPhone


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The first iPhone didn't have dev access to an SDK, either.

    How long did that last? I'm not saying that Apple will open the fingerprint reader to 3rd-party developers, but I AM saying that just because Apple doesn't allow something today doesn't mean Apple won't allow it in the future.
    • Apple is always late with SDKs

      Yes, Apple may or may not open the SDK to third party developers in the future, but the thousands of BB and feature phones waiting to change to an enterprise-ready smartphone are better of with Windows Phone (MS email and office) or even Android (wide enterprise apps) than the locked-down for IT-iPhone.
      • Always? Every time? Are you sure?

        As for "BB and feature phones waiting to change to an enterprise-ready smartphone are better of with Windows Phone (MS email and office) or even Android (wide enterprise apps) than the locked-down for IT-iPhone."

        You need to tell that to the CIO/CTOs of the thousands of enterprises that have either added the iPhone to it's supported devices or switched completely, like the Windows-only software development company where I work. Despite the fact that our flagship product runs on 3 different Windows Server products, every mobile phone in the company is now an iPhone.

        The irony of the fact that our CTO admits that while WP8 might offer marginal management and Office integration improvements, the total costs of another platform switch would more than negate its potential value isn't lost on me (I heard the same arguments about switching to Mac in the '90s). Office for iOS next year, will make that calculus even more favorable to the iPhone.
        • So the deal is, according to your CIO/CTO, is...

          If you make a less than optimal decision, stick it out? Your comments do not suggest that the post was not accurate, it suggests that some CTO/CIO's made fashion choices, rather than business decisions where you work?

          Not a slam, but an analysis...

          If you had said, our CTO sees the BYOD coming and as a cost avoidance, since there was no clear security player in the phone device space, for the near term we are tactically deploying some iphones and BYOD iphone support?
          • An erroneous paraphrase is not a valid argument.

            BYOD is a business decision, like a thousand others that have to be made.
            1. Optimality is an opinion, based on assumptions, context, and history.
            2. There's nothing in the original post that suggests a fashion choice, so your statement is not neutral. Reread the last paragraph.
            3. Security, like every other technical parameter is a moving target, with leaders and capabilities changing regularly. Sometimes, a sound decision is not to pay a high cost of transition for a marginal (and possibly judgmental-based) benefit.
        • being that

          None of those phones are 5s's that makes your comment kind of moot.
    • Still waiting for FaceTime API

      When Steve Jobs introduced FaceTime, he said it was "Open".

      Still not happening...
      • That one was Steve waking up the next day thinking "I said WHAT?!"

        FaceTime, like iMessage is a "golden cage" for user lock-in. It's not huge like the app ecosystem (the main reason Apple did an SDK), but it's got a two dimensional "halo effect." It adds one more reason to buy an iPhone, iPad, and/or Mac (or all three). Why would Apple give that up?
        • Doesn't make sense

          Give it up? What was he thinking! Obviously he wasn't.
          Apple is slowly but surely regressing (need a better term) from an industry driver and leader to just another player seeing their market share and influence be replaced by Android.
          If, as you say, If SJ really had thought in those terms regarding FT, he would have considered and looked to address this "shrink" issue.
          Looks like someone forgot to write the memo.
  • Maybe Enterprise Security has got it Wrong

    The concept of coevolution or 'covelution' proposed by Engelbart , the parallel evolution of people and machines, and some theories of the Technological Singularity see machines (this means computer technology) evolving to a point where humans use the technology to enhance aspects of themselves, whether this is cognitive action, or physical capability or similar. If humans are going to use these technologies to enhance themselves, and we are seeing early examples of this today, would we really want corporations to have control of the devices that we use for human enhancement?? - I think not... This is one small reason why Apple produces personalised user centric technologies. Apple knows that today it may be BYOD, and the M7 chip, tomorrow it will most certainly be the iWatch and then attachable upgradable computer enhancements. Even Microsoft in its own lumbering way understands this shift, why do you think it is persisting with the Surface RT version 2. Corporations are slow to come to terms with the security issues afforded by this shift in technology, and indeed many of them are having a huge struggle with BYOD.... Therefore I believe corporations need to look for new ways of trying to control the security of their information. The days of nailing everything down including the staff are long gone, and in the future you are not going to be able to mandate that people leave their computing implants at the door as they will be a fundamental part of their physiology or cognitive functioning.
    I also believe that the thinking of the information security community has been slow to evolve and on average it is 10 to 15 years behind. I currently don't know what the answer is, but I do believe this new world that is about to emerge will have far reaching ramifications not just for the security of corporations, or for the economy but for our entire way of life.... The seeds have been planted and they are growing here in our current technology, the Singularities beginnings are here and now. Its infancy is only 5 to 10 years away and corporations need to catch up.
    Richard Romanov
    • Eloquent but lagging

      This is already happening in the enterprise space. One thing most forge is the legality that is encumbered onto enterprise / business endeavors. This precludes most rapid shifts or advancements.

      Biometrics like those in the 5S are significantly out of date as a single authentication method. These may be usable in a dual factor method though better solutions currently exist.

      The one item Apple always brings to the table in a significant lag to opening up their technologies to allow use in the enterprise space. They have always been and continue to be that individual who "takes their ball and goes home".
  • Enterprise...

    Using BYOD usually means having to accept enterprise security policies. Apple have provided enterprise tools for locking down iOS devices for years, including forcing them to use a password.

    Any enterprise taking its responsibilities seriously will already be deploying such rules on their own and BYODed devices and thus forcing users to have passwords set up.
    • Hmmmm..

      our highly regulated enterprise already supports iPads and iPhones with encrypted and sandboxed data, but no need to control the entire device...only the app data specific to the's a sweet BYOD solution.
  • Missed opportunity

    Apple makes it too obvious that they are not serious about the enterprise, when their marketing people spend a lot of time trying to convince us otherwise (a lie).
    Tim Acheson
    • Is it?

      ...and none the less they own the enterprise in mobile technology. They must be doing something right.
  • Hidden in Apple's old-style hardware/software dungeon

    MSFT with Win8, Cortagena and their movement towards convergence is working towards revolutionary developments. It's really all about the past, present and future evolution of personal computing.
  • Right or dead

    "Earlier this week, I talked about wearable computing potentially finding its killer app (authentication), in this case, biometrics may have found its killer host."

    Apple better have this right., or it will be the killer OF the host.
  • Enterprise Biometric Security is here now

    For those not familiar with enterprise multi-modal biometric and credentialing solutions available today, visit ImageWare System's website:
  • Trying to guess Apple's thought processes

    is futile. Now that Mr. Jobs is no longer among us, we can assume a greater amount of reality-driven decision making. But Apple still keeps it's mouth shut most of the time.

    One thing we do know. Apple isn't an enterprise-driven company. Steve Jobs seldom forgot an insult. Corporations didn't see the virtues of his superior product so he set no stock in wooing the enterprise market. Artists and renegades embraced the Mac so Jobs embraced them. Art departments, recording studios and small businesses too. Thus evolved the Apple culture: the elite company that out-innovated and out-designed everyone else and had enough of a loyal following to be profitable. (Fast forward over the blip in the mid 90s.)

    Initially the success of the iMac, iPod, Macbook and iDevices was consumer-driven and thus fit right into Apple's narrative. Apple added the necessary features to support iPhones/iPads in the enterprise; they even revamped sales and service functions as enterprise use grew. But they never tried to take on RIM. It amazes me that people keep complaining about this as though it was a lack on the part of Apple rather than what it really was, a conscious choice. Arrogant and sulky perhaps, optimal for business surely not, but there you have it.

    Mr. Jobs's successors don't have his personal grudges against cooperating with the enemy-er I mean with big business. It's just not so clear right now what it means to support enterprise computing as it was when Wintel ruled the world, partnered very briefly by Palm and later by RIM. Users have as much influence in some areas as IT. Windows has lost its stranglehold for good but MS is making progress on the mobile front. RIM is dying but not in super secure environments. Android rules but not yet/necessarily in the enterprise. Etc. etc.

    Look at this Touch ID in that context. It's not meant to answer enterprise needs at the highest level. For starters, the mobile batteries and processors to support biometrics at the Rackspace level are still close to sci fi. We'll get there, but not yet.

    Touch ID adds real value by making it convenient to lock one's phone. Business or personal, today all phones need to be locked. At the same time it's cool, elegant, a technological stretch in the smartphone world of the kind we expect from Apple. It may get some fence sitters to stick with iPhone or even return to it. For a company used to working on the margins that's meaningful.

    So there we are. Apple will shake out Touch ID and look at market reaction. Then they'll decide what they've got and what to do with it. Yes the next logical step is to give developers the SDK, let other applications use it. That needn't and shouldn't wait until next September since it doesn't involve the phone at all. Add this feature to the next iPads. There's still some insecurity about letting the motley Android crew into the business world, but that window will close. So leverage your elegant hardware to the max while you can.

    Will Apple be logical? I think the odds are at least 50/50 but I for one ain't betting on anything. In the meantime, enterprise grousers look at it this way. If you're able to support iPhones now, what's worse for you with Touch ID? Nothing. It's now easier to demand that all users lock their iPhones. And there's the potential going forward for this to evolve into something really useful.
  • Eyeprint Verification

    Fingerprint and Touch ID are getting a lot of traction in the news these days as Apple is set to roll out the new iphone 5S with this biometric add-on on September 20th. Touch ID will all but eliminate the need for passwords and pins when using your iphone 5s. But, what happens if you don't have the new phone? What options do users who have an Android, Blackberry or Microsoft device or a iphone 4s, 5 or even new 5c have available to them? EyeVerify!

    EyeVerify is the exclusive provider of Eyeprint Verification, a highly accurate biometric
    for mobile devices. Eyeprint Verification delivers a password-free mobile experience and secure authentication at a glance. This patented solution uses existing cameras on smartphones to image and pattern match the blood vessels in the whites of the eyes. Best of all, you can get this technology right now for your existing device as long as your device has a 1 mega pixel camera.

    Apple’s TouchID and the Eyeprint accomplish the same ultimate end goal. It is an accurate, secure & simple way to answer the question "Who is holding the phone?" Eyeprint Verification just happens to be more accessible to more of the population trying to solve the password problem.

    To learn more about the differences in these technologies:
    Check us out online
    Read our blog
    Follow us on twitter @eyeverify
    Watch us on YouTube
    Contact us to schedule an interview at