During ZDNet's Great Debate prior to the release of Apple's iPhone 5s with Touch ID, I argued that once released hackers would determine the strength of the fingerprint scanner and other iOS7 security features.
Well, the results are funneling in and it seems there are plenty of soft spots. Touch ID has already been hacked and the first to do it is set to collect a bounty that may exceed $11,000.
In fact, the hacker, known as Starbug, told ArsTechnica, "There was no challenge at all; the attack was very straightforward and trivial."
Also, there have (again) been lockscreen bypass flaws uncovered, and methods discovered to con Siri into giving an intruder access to messaging and social media apps. And there is the fact that Touch ID can be bypassed entirely by rebooting the phone and hacking on the 4-digit passcode instead.
While all of this is likely erased with eventual OS upgrades, it gets at a larger point I was making last week; as Touch ID moves from pilot phase and its on-phone sandbox does Apple have the chops to design a security system worthy of consumer, and more important, enterprise mobile computing?
The early returns don't point to a favorable outcome. And they point at a broader issue and to why Apple should keep failing, learning and innovating.
Identity, authentication and authorization won't come in one finger or even one package.
Identity and access management needs multiple authentication methods with varying degrees of security used alone or in combination. The environment will be a tiered labyrinth of security with trusted stewards and interoperable hubs.
Today, the National Institute of Standards and Technology's (NIST) Electronic Authentication Guidelines describe four levels of assurance, which grade credentials on how an identity was registered, how the user authenticates, and if the credential meets the needs of the Web site considering the authentication request. The guidelines define areas within each level that dictate identity-proofing, registration, tokens, management processes, authentication protocols and related assertions.
It is that kind of layering of proof points that will allow authentication and authorization to be stretched among networks, clouds and mobile computing. And stretch it will. Gartner said earlier this year that by 2016 federated single sign-on (SSO) will be the most predominant SSO technology; deployed by some 80% of enterprises.
NIST, via its National Strategy for Trusted Identities in Cyberspace (NSTIC) has already invested $16 million in private sector pilot programs to understand how all that technology and layering will provide credentials (fingerprints and biometrics included) that match the right amount of identity proofing (down to in-person proofing at the highest level of assurance) with the right online access and transactions.
Apple itself invested $356 million to acquire AuthenTec and its fingerprint reader technology. Based on iPhone 5s sales to date there is a good chance that will be deemed a worthy investment.
But if Apple wants to continue to invest in security features, not just to protect the phone, but to protect access to applications, including corporate apps, it will have to log these tough days of hack attacks as the price on entry into the broader authentication and authorization landscape.
- Apple's advanced fingerprint technology is hacked; should you worry?
- iPhone 5s with Touch ID is a big win for BYOD security
- Apple provides details on Touch ID's privacy features
- Debate: Apple's Touch ID: A game changer?