Apple's Touch ID: A game changer?

Moderated by Larry Dignan | September 16, 2013 -- 07:00 GMT (00:00 PDT)

Summary: Apple builds a fingerprint sensor into its flagship phone. Big deal? Our experts debate.

David Braue

David Braue

Yes

or

No

John Fontana

John Fontana

Best Argument: No

41%
59%

Audience Favored: No (59%)

The Rebuttal

  • Great Debate Moderator

    Is everybody ready?

    This week, David Braue and John Fontana debate the future of fingerprint sensors. Are they the answer for online security?

    Posted by Larry Dignan

    All set

    Fingerprints are the best answer today.

    David Braue

    I am for Yes

    Let's get started

    It's a toy.

    John Fontana

    I am for No

  • Great Debate Moderator

    The end of passwords?

    Fingerprint recognition has been around for a while, but hasn't exactly gone mainstream. Do you think Apple can popularize it and make it mainstream---and even rid us of passwords?

    Posted by Larry Dignan

    Absolutely

    I had a laptop with fingerprint scanner a decade ago, but its software had very few uses beyond logging me in and creating a secure file-storage area. The technology works, but the key to making it work well lies in the software. And, as we all know, when it comes to software, Apple makes magic with frightening regularity.

    Once the inevitable fingerprint scanner-equipped iPad, MacBook Air and MacBook Pro have dropped by year’s end, most of the world’s most popular mobile devices will be fingerprint-enabled and part of the mass consciousness. Expanded APIs in iOS 7.1 will give application developers tightly managed access to the fingerprint scanner, and eventually we’ll be using our fingers to log into apps and Web sites instead of using passwords.

    David Braue

    I am for Yes

    Biometric weaknesses

    If we had a nickel for every authentication scheme that was going to replace passwords, we could buy a lot of iPhones. It is well documented that biometrics is by no means a panacea. Passwords can be revoked/changed. Biometrics once compromised are forever compromised, argues Dave Aitel , CEO of Immunity.

    Think about that for a second if you have ever had to change a password. Think about that as you plan to re-use your fingerprint "passcode" across services and applications. Cost and weakness in the current fingerprint technology, such as security implications of digitally stored fingerprint images, have conspired to keep readers out of the mainstream. Apple may expose more people to the convenience, but it also will surface questions and concerns. Users don't buy fingerprint readers, they buy applications. Until developers can tap into Apple's technology, what Apple has is a pilot program.

    John Fontana

    I am for No

  • Great Debate Moderator

    Effect on BYOD

    What do you see as the implications for Touch ID and the enterprise? What's the effect on bring your own device?

    Posted by Larry Dignan

    Legitimizes BYOD

    Because it’s completely idiot proof, fingerprint scanning will be crucial to legitimizing BYOD as an acceptable mobile-device philosophy. Assuming Apple builds bridges to corporate Active Directory databases – and sets or supports open identity standards that add fingerprints to the panoply of acceptable user authentication techniques – Touch ID will quickly become the preferred, and mandatory, way of securing mobile devices.

    While it offers a strong degree of protection on its own, it’s also worth mentioning that fingerprint scanning is especially useful for high-security environments – where it can be used along with a password or other authentication method as a second method of two-factor authentication. And who’s to say that you only need to scan one finger for access? It won’t be long before your super-secure system is accessed with a password like right-index, left-ring, right-pinkie, left-pinkie, left thumb. Take that, cybercriminals!

    David Braue

    I am for Yes

    The enterprise isn't ready

    Touch ID is a non-starter in the enterprise. BYOD negates hardware cost factors if users have iPhone readers, but enterprise security is a back-end software game. The backend is where critical pieces must be in place to realize an enterprise win. Currently, Touch ID has no way for the enterprise to tap the technology into their identity and access management systems (IAM).

    Rumors are swirling that Apple may support ID standards like SAML and OAuth in iOS7's enterprise single sign-on (SSO) features, but how that relates to Touch ID is unknown.  In fact, iOS7's SSO and Mobile Device Management pieces have more chance to impact enterprise BYOD then Touch ID.  Enterprise appeal is not a wash, however, (more locked devices) but game-changing IT benefits tied to Touch ID won't come without mass iPhone adoption. But don't hold that hope. Pew Research numbers show

    Andriod winning the smartphone battle against iPhone in categories based on age, ethnicity, education and income.

    John Fontana

    I am for No

  • Great Debate Moderator

    Strengths

    What are the strengths of fingerprint recognition technologies?

    Posted by Larry Dignan

    Fingers tell no lies

    They rely on something we all have, cannot lose, and which is unique to each of us. This makes them both convenient and reliable for user identification – particularly if they are well integrated into the operating environment so they feel more like a natural, built-in feature than an add-on gimmick.

    They are also, despite what you see in the movies, difficult to spoof – as long as the sensor has ‘liveliness detection’ – meaning that it’s designed to detect a pulse or other biologic signature to ensure the fingerprint is attached to a living person.

    Furthermore, they’re impossible to reverse-engineer: despite all the hoopla about privacy and fingerprint theft, scanning is a one-way process. Once the scanner converts your fingerprint into a unique code, there’s no way to turn that code back into an image of the fingerprint. And, considering how Apple has secured Touch ID fingerprint hashes inside its chips, you’d struggle to access those codes in the first place.

    David Braue

    I am for Yes

    Beats four-digit passcodes

    It binds a user to their device, which means the device could be used as a token to help establish authentication and authorization. It begins to show the importance of authentication via identity or attributes - instead of passwords - which helps support levels of increasingly stronger authentication as you combine data points (attributes) to determine that a user is who they say they are. Fingerprints are a great improvement over four-digit passcodes. But then again, even though Apple allows users to improve its passcode system with up to 37 characters, few choose to use it. Pick your favorite survey and see how many people (some say up to 60 percent) don't even lock their phones. (Yahoo CEO Marissa Mayer, we're looking at you.)

    Think about how many people will forget their passcode when their inevitable Touch ID reset happens (reboot or dormant for 48 hours). How important security becomes for individuals ultimately determines the strength of any authentication technology.

    John Fontana

    I am for No

  • Great Debate Moderator

    Weaknesses

    What are the weaknesses?

    Posted by Larry Dignan

    Grime

    Fingerprint readers can’t read well through lotions, grease, dirt, and the like. This makes them unsuitable in many industrial environments.

    Also, some fingerprint scanners are relatively easy to fool, since they use optical methods to read the fingerprint and may be tricked using a printed fingerprint on a piece of paper. This is why it’s important to use fingerprint scanners, such as the AuthenTec technology that Apple acquired and used for Touch ID, with liveliness detection.

    David Braue

    I am for Yes

    Once broken, forever broken

    Once compromised, always compromised.

    Enough said. You only have 10 fingers and 10 toes. Fingerprint readers can, and have been defeated, including the gummy bear attack that lifts a print off the sticky candy. Apple's fingerprint reader is said to negate some of these fingerprint tricks but that will be confirmed only after widespread hacking. In Apple's case, cuts or scars could prevent accurate readings.  

    "Fingerprint recognition is not perfect," Geppy Parziale, biometrics expert and CEO of Invasivecode, a firm that develops applications for Apple's mobile devices, told the Sydney Morning Herald. Questions about fingerprints in circles outside of technology, most notably the legal arena, also raise concerns about the credibility of fingerprint "matches."

    While these issues might not be relevant to all apps, financial or other transactional user authentications are another story.

    John Fontana

    I am for No

  • Great Debate Moderator

    Use for mobile payments

    Many analysts have noted that fingerprint recognition could be a precursor to a mobile payments play from Apple. Do you agree? How would fingerprint recognition change the payment process?

    Posted by Larry Dignan

    It's in the cards

    There’s no question this is on the cards. Being able to register a fingerprint hash as part of, say, a PayPal account would provide a significant additional layer of security when conducting transactions. Apple is already using this sort of functionality by allowing iPhone 5s users to scan their fingerprints when buying apps; expect this capability to be expanded into new areas at Apple’s leisure, then eventually to third parties once Apple gets around to expanding its API.

    Once credit-card issuers get in on the game, you’ll be able to register your fingerprint with your bank and add another important verification layer to any online purchase. Loyalty programs, government services, or even just games would all be more readily accessible. Another great usage model would be to allow the iPhone or iPad to support multiple users, each with different access and application rights: under this model, your son might be able to play certain games on your phone, but could be banned from accessing corporate app clients or even just movies above a certain rating.

    David Braue

    I am for Yes

    Pieces are in place

    Yes, I agree. Fingerprint authentication binds a user to the device as mentioned previously. That is one important step when that device is used for mobile payments. But Apple's big miss so far? Lack of support for NFC. Samsung and Visa set the industry tone earlier this year with their NFC-based mobile payment partnership.

    Apple has pieces in place, re: Passbook, to support retail transactions and loyalty for Apple users. Apple's iOS7 contains iBeacon, which is part of Apple's retail strategy, but details were not discussed at the iPhone 5s launch.  Fingerprints are not a precursor to success as the debacle around former payments darling Pay by Touch shows - value determines success.

    Apple could make its bid for significant change if the FIDO Alliance gets its act together on a protocol that leverages existing device hardware (TPM chips, NFC, One-Time Passwords), along with biometric devices. Why? PayPal's CIO, Michael Barrett, is FIDO's president.

    John Fontana

    I am for No

  • Great Debate Moderator

    Overcoming Apple's recent mistakes

    Given that Siri has been so-so and Apple's maps foray was an initial mess, are you confident that Touch ID will be perfect?

    Posted by Larry Dignan

    It should be fine

    In this case, one rotten Apple doesn’t necessarily spoil the bunch. Sure, Siri has the same hit-or-miss, love-her-or-hate-her tendencies as your mother-in-law, and Apple Maps was only accurate if you closed one eye, squinted and brought your phone inside of your focal range until it went blurry. But Apple Maps is getting better – just check out the eye-popping 3D in a major city near you – and it occasionally even recognizes a street I want to go to. Things are looking up.

    Of course, we cannot be confident that Touch ID will be perfect; its perceived efficacy will vary depending on the application, and there is always going to be some scathing review from someone whose fingerprints were burned off in a freak twerking accident, and who consequently cannot use Touch ID at all. But this is a hardware sensor, and not an all-software experiment like Siri and Apple Maps – and, remember, Touch ID is based on mature technology that Apple bought, not new technology it built. As long as Apple can interface its apps well with the sensor, Touch ID should be fine.

    David Braue

    I am for Yes

    History says no

    No way. Both Apple Maps and Siri came out of the gate with noticeable limps. That is one reason Touch ID has limited scope. Apple spent three years developing this technology, and the result is a consumer grade, gee-wiz feature that fails to answer basic concerns around fingerprint technology and biometrics in general.

    Apple is tearing a page from Microsoft's MO with return trips to the drawing board before technology becomes solid. Will consumers and IT invest in multiple revisions of Apple devices with hope the third time is a charm? Touch ID is a single step from gimmick given its limited functionality; potential is there, but perfection seems fleeting since it aims at a moving target. Noted security guru Bruce Schneier wrote in Wired magazine that biometrics almost certainly can be hacked. But perhaps the NSA has the most telling insight "Biometric systems alone do not currently provide adequate security for high assurance applications."

    John Fontana

    I am for No

  • Great Debate Moderator

    Follow the leader?

    Do you anticipate other smartphone makers will have fingerprint reconition hardware and software?

    Posted by Larry Dignan

    If you make it they will come

    It’s worth noting that most Android smartphones have favored near field communication (NFC) technology for payments authentication, whereas Apple has taken a biometric approach for payment authentication. But if Touch ID becomes popular with users, effective fingerprint scanning will become a standard feature of new phones from all makers.

    Apple will be working to change its users’ habits when it comes to security and authentication, and there’s no way competitors would risk being seen to have fallen behind. They’ll have to be careful to integrate good technology rather than making do with cheap-and-nasty options, however: once you standardize on less-than-robust fingerprint scanning, you risk spoiling the user experience – and putting another generation of users off of fingerprint scanning for good.

    David Braue

    I am for Yes

    Follow the money

    It is already available, albeit only on one other device. But if a measurable revenue stream emerges, there is no doubt other smartphone vendors will rush to market.  Look how touch screen and app store concepts were copied. Apple is the new guinea pig for fingerprint readers on devices. Readers for desktop computers and laptops crashed and burned due mostly to unreliability. The industry is watching to see if the iPhone is next.

    John Fontana

    I am for No

  • Great Debate Moderator

    What will happen first?

    What are the security risks and rewards for Touch ID?

    Posted by Larry Dignan

    Immediate target for hackers

    It will of course become an instant target for hackers trying to reverse-engineer its capabilities. Expect them to fail, generally, although if (or when) iOS 7 is jailbroken some ingenious hackers may figure out ways to manipulate the system. But I’d wager that Apple has put significant effort into ensuring that Touch ID’s security story is robust and reliable. Its storage of fingerprint data in encrypted format, in silicon rather than in software, suggests Apple is taking the security and integrity of Touch ID very, very seriously. If it ever loses its air of respectability, it will be game-over for Touch ID.

    David Braue

    I am for Yes

    Fake sense of security

    Risks:

    False sense of heightened security, Apple's focus thus far on the technology and not its application, vulnerable systems, compromised systems, cryptographic attacks, network attacks, operating system attacks, image storage issues, privacy issues, and data loss just to name a few that will get IT talking and balking.

    Rewards:

    On-device convenience, streamlined retail transactions with Apple, potential to fit into a larger security architecture, luxury for IT to take a wait-and-see attitude.

    John Fontana

    I am for No

  • Great Debate Moderator

    Going mobile

    Where do fingerprints fit in the mobile device management stack?

    Posted by Larry Dignan

    Replace passwords

    They’re a natural to replace (or complement) passwords as a method of both securing devices when they’re not being used, and ensuring user identity when users try to access network resources through the device. MDM tools are all about adding a layer of control to distant mobile devices, and fingerprints are a readily available way for distant users to prove their identity – and for device managers to discern that the person using a phone isn’t the person it’s registered to. Since there is no way to guess or brute-force a fingerprint, overall trust in MDM platforms should go up as a result.

    David Braue

    I am for Yes

    Needs a plan

    MDM controls policies associated with biometrics. Those policies define what is allowed to happen when the user puts their finger on the sensor. But again, without a plan to integrate Touch ID with other systems the point is moot. Apple hasn't even made a connection with MDM capabilities in iOS7. On the flip side, MDM is just the kind of mobile support system IT would like to test drive with biometrics (and other authenticators) so perhaps that is an IT inroad for Touch ID.

    John Fontana

    I am for No

  • Great Debate Moderator

    Why is it limited to the new iPhones?

    If Touch ID is that promising why do you think Apple kept it limited to the iPhone 5S and avoided the iPhone 5C?

    Posted by Larry Dignan

    Easy does it

    Every sensor introduces a new cost and complexity, and the iPhone 5c was always about low(er) cost and less complexity. The iPhone 5s is now Apple’s flagship phone, so it makes sense to be the only home for Touch ID at first; think about how Apple staggered the introduction of its Retina Display into its MacBooks, and you’ll know what to expect. If the imminent, updated iPad 5 doesn’t also have Touch ID, it will be a shock. The iPhone 5c might get a scanner in a few generations, but true to Apple practice Touch ID remains a premium feature for now.

    David Braue

    I am for Yes

    Cost

    The iPhone 5c is not about technology. It is about satisfying Wall Street's desire to see a competitively priced smartphone from Apple. The reaction by the market spoke volumes (stock price plunge); and Touch ID was not sexy enough, or compelling enough, to turn the tide on that disappointment.

    John Fontana

    I am for No

  • Great Debate Moderator

    Developer strategy

    How do you see Apple's developer strategy evolving with Touch ID? What can be done with those APIs?

    Posted by Larry Dignan

    The new standard

    Better API access would allow developers to use fingerprints anywhere they now require user ID-and-password combinations. You could use your fingerprint to log into Skype, verify an update on Facebook, digitally sign a document you scan by photographing with the iPhone’s camera. If you were to register your fingerprint with your Twitter account, you could make sure it was impossible to post an update without also swiping your fingerprint. The possibilities are endless.

    The corporate applications are also significant, and nearly all of them deal with improving access to networked systems. Deep hooks from Touch ID into enterprise authentication systems will be a natural application; however, eventually fingerprint data will become a robust way of timestamping and signing entered data, controlling remote access to virtual desktops and data-centre servers, and integrating with mobile device management (MDM) tools for stronger authentication.?

    David Braue

    I am for Yes

    Wait and see


    Whether it's an API, a full SDK or something from the iOS Developer Enterprise Program for in-house apps, there has to be an integration strategy for Touch ID to have value outside the Apple environment.  Apple gets pretty good marks for its iOS SDK, so there might be hope for credible app and IAM integration. The first entry point will be native mobile apps as cloud-based apps present too many privacy and image storage issues. There is not a Touch ID developer strategy, and CEO Tim Cook refused to even hint there might ever be one. Speculation on Stack Overflow's Question and Answer site held no hope for a Touch ID API, but yielded this speculation, "usage of the sensor, will only be done through interaction with the keychain allowing the OS to interact with the sensor, while keeping your app separate in its cozy little sandbox." The discussion was later closed.

    John Fontana

    I am for No

  • Great Debate Moderator

    Will it reduce crime?

    Can Touch ID curb iPhone theft?

    Posted by Larry Dignan

    Yes

    Absolutely: if your iPhone is locked to only work with your fingerprint, and there is no way to bypass that control or game the iPhone-wiping system, any potential thief will quickly see that there’s no point trying to take the phone. Unless they also decide to take your finger – in which case, a lost iPhone is the least of your problems.

    David Braue

    I am for Yes

    No

    According to Apple, an iPhone that is simply re-booted reverts to the user's four-digit passcode. And an iPhone that hasn't been unlocked for 48 hours also reverts to the user's passcode. A four-digit passcode has an average crack time of 20 minutes.

    Crack the code, wipe the data and re-set the fingerprint scanner with your own print. Powned. Or more accurately, pawned.No. According to Apple, an iPhone that is simply re-booted reverts to the user's four-digit passcode. And an iPhone that hasn't been unlocked for 48 hours also reverts to the user's passcode. A four-digit passcode has an average crack time of 20 minutes.

    Crack the code, wipe the data and re-set the fingerprint scanner with your own print. Powned. Or more accurately, pawned.

    John Fontana

    I am for No

  • Great Debate Moderator

    Great Debate

    Thanks to David and John for a lively debate. And thanks to you for joining us. Closing statements will be posted on Wednesday and I've give my final verdict on Thursday. You can check out the comments and add your own - and don't forget to vote.

    Posted by Larry Dignan

Talkback

53 comments
Log in or register to join the discussion
  • Why the need to make a comment ...

    ... just to vote.
    I wasn't planning to , but as I have to, I don't see it as a game changer any more than when fingerprint recognition was installed on phones previously, as stated by John. I don't see it as any more of a game changer than face recognition on Android phones, which hasn't exactly set the world alight. Having said that, I'll be interested to see the arguments on either side.
    DJL64
    Reply 5 Votes I'm for No
    • The same, but different

      DJL64, it's true that 2 years ago the Motorola Atrix was the first mobile phone with a fingerprint reader, but the ease of use, accuracy, and other features of the Apple/AuthenTec scanner hardware and software on the iPhone 5S is a much more advanced system.

      Comparing the two is like saying Apple's iPhone was not the first smartphone (which is also true), but the iPhone completely changed what we now take for granted is a "smartphone".

      The same with the iPad. There were tablets around for years before (including Apple's early tablet, the Newton) but none of them hit the mark or became popular. But the iPad changed the landscape. Now, all other tablets are more like the iPad than the tablet efforts that preceded it.

      The fingerprint scanner on the iPhone 5S is that much more advanced and different than the Motorola Atrix scanner.

      It is up to Apple whether they decide to license this new technology, or not, since Apple bought AuthenTec two years ago, and has developed this new scanner hardware and software over the past two years.

      If Apple doesn't license this new technology to its competitors, it will be up to other smartphone manufacturers to develop an equally high-quality system on their own.
      Harvey Lubin
      Reply 2 Votes I'm Undecided
      • One of the major differences

        In additional to ease of use, and accuracy, there is another important way in which Apple's fingerprint scanner is different and more advanced than other companies' previous attempts.

        Apple's scanner cannot be "tricked" into working with either a severed finger, or a lifted image of someone's fingerprint.

        This is because the sensor in the iPhone 5S utilizes two methods to sense and identify your fingerprint:

        Capacitive -- A capacitive sensor is activated by the slight electrical charge running through your skin. We all have a small amount of electrical current running through our bodies, and capacitive technology utilizes that to sense touch. This is also the same technology used in the iPhone's touchscreen to detect input.

        Radio frequency -- RF waves do not respond to the dead layer of skin on the outside of your finger -- the part that might be chapped or too dry to be read with much accuracy -- and instead reads only the living tissue underneath. This produces an extremely precise image of your print, and ensures that a severed finger is completely useless.
        Harvey Lubin
        Reply 6 Votes I'm Undecided
        • It will be cracked...

          it's just a matter of time. Everything is eventually.
          kstap
          Reply 6 Votes I'm Undecided
          • Bust a Myth!

            You're safe as long as Adam Savage doesn't lift a copy of your fingerprint!
            jallan32
            Reply 6 Votes I'm Undecided
          • None of the Mythbuster tricks will work

            on TouchID. It reads the subdermal layer, checks for capacitance, takes a 3D map of the print, etc. In other words, it's a whole heck of a lot more advanced than your typical PC fingerprint reader. Which is why the "No" guy is just spouting his ignorance when he compares it to the Atrix
            baggins_z
            Reply 5 Votes I'm Undecided
          • ' "No" guy is just spouting his ignorance'

            Are you referring to my earlier comment Baggy? Is that your best reasoned argument, to insult someone you disagree with.
            I expect this fingerprint reader to be quite useful, time will tell. I just don't think it will be a "game changer". No, that's not a fact, just an opinion.
            I didn't actually compare it to the technology in the Atrix either, I just said it wasn't the first fingerprint reader in a phone. Try reading Harvey' response. I don't agree with him (well maybe 50/50) but he does make quite reasoned points.
            DJL64
            Reply 2 Votes I'm Undecided
        • RF scanner detects moisture, actually

          so a dead finger would still work if it were kept moist. What did they do to test it, cut off someone's finger? But you're right about a lifted fingerprint.

          But nobody cares about that, as what are the chances someone would kill you or sever your finger just to get access to the iPhone they stole from you, especially when there are plenty of ways to get around the security if they actually possess the phone, including hard resets. And no, you can't remotely brick the phone if someone steals it from you, so the incentive to steal is still there.

          What would be a game changer would be if they built in the capability to brick the phone if it's stolen. There is only one brand of smart phone that has that capability built in, and that is BlackBerry. It would be the easiest thing in the world for Apple to build that capability into the iPhone as it has a unique device ID that survives hard reset, but they don't/won't do it.
          Jacob VanWagoner
          Reply 4 Votes I'm Undecided
          • Activation Lock - Bricking

            With IOS 7 activation lock you can remote wipe and brick the device, you need to enter the apple ID and password to be able to do anything with the phone.

            Recovery mode won't even bypass this. Same if you didn't wipe it and had an authentication of some kind to get past the lock screen.

            Incidentally, my employer announced today that Touch ID will be acceptable in favour of 6 digit pins
            Jonsyd
            Reply 4 Votes I'm Undecided
        • Big Enterprise Miss

          I have to go with gimmick ... The only way this could be even remotely aceptable in an enterprise environment would be as part of a two-part authentiication factor. It's ot and not likely to be. Big business has some very stringent guidelines on the use of biometrics. Most companies that have computers with fingerprint tech shut it off. No matter ow mch effort Apple ut into his, unless they are willing to open it up to allow inclusion in an authentification system designed by enterprise, not Apple, any traction it gains is minuscule, at best.
          rhonin
          Reply 2 Votes I'm Undecided