Can Apple transfer its elegance to secure biometrics, access control?

Apple putting together quiver of biometric, gesture technology but is it shooting for real security or consumer convenience
Written by John Fontana, Contributor

With a fresh patent in hand this week for facial recognition, a fingerprint reader on its iPhone 5 and a new $345 million acquisition of 3D-sensor company PrimeSense, Apple seems to be putting some serious body english on the user interface.

Apple facial recognition device touchID primesense
Exhibit 1 from Apple's Facial Recognition patent. No. 124 points to an "image sensor" behind the screen.

Is Apple gunning to re-define interacting (re: authentication) and interfacing with computers, devices - and ultimately "things" in the computing environment at large? And will it re-set expectations for security, as well as, for innovation and convenience?

Apple's newest patent awarded by the U.S. Patent and Trademark office points to a sophisticated array of biometric and gesture-based inputs across a range of devices and vertical industries.

If that is the case (the company isn't saying), can Apple's pedigree for elegant design overcome fickle user acceptance and current shortcomings in biometric technology and lap the field?

"The state of play today in consumer biometrics security is pretty primitive," said Steve Wilson, vice president and principal analyst at Constellation Research. "In security, we're accustomed to rigorous standards and testing; lots of peer review; all encryption algorithms being published. But with biometrics we still don't have agreed upon test protocols."

Wilson said consumer biometrics is all about convenience and has very little to do with serious security.

Apple found that out first hand when the Touch ID fingerprint reader on the new iPhone 5 was hacked shortly after it hit the market. At that point, Apple went silent on the security value behind the iPhone biometric, which today is only used to simplify authentication to the device and gain entry to the App Store.

The facial recognition patent the company was awarded (US008600120), however, isn't confined to the company's "i" branded line of devices.

The patent references everything from devices, to televisions and stereos, portable video players, display devices, vehicle control systems, financial transaction systems, and any "like computing device capable of interfacing with a person."

Apple specifically calls out the need to recognize "passive users," people who are in front of, or near, their devices but are not actively using them. It reads like a tip of the hat to the PrimeSense technology, which is already used in Microsoft Kinect to interpret body movements and voice commands.

In addition, the patent indirectly points out inadequacies with passwords and states: "there is a need for a more efficient and reliable user access control mechanism for personal computing devices." (i.e. - Touch ID and other biometrics).

So it appears Apple is setting up to use biometrics, including gestures (although there is debate as to when a gesture is or is not a biometric) to define authentication and interaction with computing devices.

But will facial recognition, fingerprint readers and sensor technology become a security perimeter for devices or remain convenience features?

Constellation Research's Wilson says there are major hurdles for Apple (and others) who might trend toward a security sell, including transparency, honest specifications, and a lack of standards.

"Sadly we just don't know enough about the technology," he says. "And as a result I have reservations about the trustworthiness of biometrics vendors."

Wilson says there are no real-life test methods in the field for biometric performance. He says the FBI advises that in the field it cannot predict how biometrics stand-up to concerted attack.

"Imagine you were selling a safe to a bank manager but you couldn't tell her how well the safe will perform if a robber comes in with an oxy-acetylene torch," said Wilson

False readings have always been a big concern with biometrics. When False Reject Rates are low it also means False Accept Rates are up, which means security is down.

"Most consumers get all their understanding of biometrics from sci-fi movies," says Wilson. "They have no expectation of errors, or retries. There is a mad rush for novelty."

Wilson says with serious security the expectation is a decade or more of rigorous testing and certification. "With biometrics, vendors positively brag about their new gadget hot out of the lab."

Will Apple do that or will it rigorously test and set new standards and expectations like it has in the past? Touch ID is too early in its development to tell, but right now it does not point in that direction.

Will Apple piecemeal the technology, offering higher grades used on commercial devices or in high-security areas for authentication, authorization and privileged access? Will it let others build the commerical-grade technology and license its patent while keeping its own efforts in the consumer market?

"Biometrics only work for high security when the user is trained and willing to put up with retries in the interest of keeping the False Accept Rate low. Consumers have very low tolerance for false negatives and inconvenience," Wilson said.

Editorial standards