Apple's Touch ID doesn't match enterprise security's fingerprint

Limited uses, no access for developers among limiting factors for enterprise security consideration.
Written by John Fontana, Contributor

Apple's new iPhone 5s Touch ID feature is poised to do more for device locking and the advancement of biometrics than it will for enterprise security.

Touch ID, a biometric authentication device, hidden in Apple's old-style hardware/software dungeon, is more of a consumer play than it is an enterprise security feature.

With Apple confirming that third-party application developers are walled off from the iPhone's new authentication method, the likely win for enterprises is that more of their BYOD users will lock their phones thus protecting the applications and data contained on them.

In terms of biometrics, Touch ID could ignite mass acceptance among consumers who will carry their enthusiasm and demands to the workplace.

Earlier this week, I talked about wearable computing potentially finding its killer app (authentication), in this case, biometrics may have found its killer host.

But all enterprise security architects and identity and access management (IAM) pros have found is another wait and see attitude.

"Good for consumers, nothing for enterprises. Same old Apple," said Gunnar Peterson, managing principal at the Arctec Group. "That doesn't mean they won't enable something useful for enterprise down the road, but I am not holding my breath."

From an enterprise perspective, Apple needs to allow third-party cloud and enterprise app developers to incorporate the feature. And Touch ID needs to open up to integration with enterprise single sign-on features of iOS7 and standards-based cloud and enterprise IAM systems.

Without those additions, the enterprise sleeps a little easier knowing more employees are locking phones, but it gets no other real tangible benefits to hang ROI on.

Enterprise security pros need to see under the covers, and Apple isn't lifting them. Let's face it, Apple isn't known in the enterprise for its security tools so a relationship still needs to be forged.

For Touch ID to have serious impact, it needs to integrate with back-end IAM systems that enterprises have already spent millions to develop. It needs to be a factor in authentication to all applications.

Apple said yesterday that Touch ID comprises the most advanced hardware and software it has put in any device, but it has missed the IAM industry's advancement toward openess and standards.

Touch ID also is not a two-factor authentication system itself, but should be part of one. In fact, it will be pressured, by end-users and enterprises, to integrate with many two-factor authentication systems that have become de facto options for services like Google, Amazon Web Services and Dropbox, and for key developer outposts like GitHub.

Perhaps Touch ID's best chance is to align with the FIDO Alliance, which is focused on strong authentication and talks about a finger-sensor option paired with FIDO protocols under development. The Alliance aspires to provide plumbing protocols for biometric authentication at scale for cloud-based services.

Beyond Touch ID, Apple also touts other business benefits of the iPhone's iOS7 operating system. The company says those benefits provide "new ways to configure and deploy devices at scale, and features to help businesses purchase, distribute, and manage apps with ease." The pieces include mobile device management, enterprise single sign-on (SSO), and per app VPN.

But even here, Apple has gaps. Its enterprise SSO appears to be based solely on the Kerberos protocol, which is already supported in the iPhone. But while Kerberos based SSO is fine for employees accessing on-premises applications, it's not so useful for access to SaaS applications and therefore not a good fit for hybrid enterprise cloud architectures.

There is rumor that Apple's enterprise SSO may support the venerable Security Assertion Markup Language (SAML), used today for federated identity management, and OAuth, an emerging authentication federation protocol finding favor in the cloud.

With Apple obviously focusing on the client side, it will need such standards support if it is to integrate with current server-side components that are being used by cloud services and enterprise identity architectures.

Touch ID may point to Apple getting into the enterprise ballpark, but for now, its chances are slim for getting into the enterprise security lineup.

See also:

Editorial standards