Apple’s iPhone 5s Touch ID: A Game Changer

We analysts are known for our bold predictions about the future. Well here’s one from me though I don’t really think it is the least bit audacious. In a few years, we will look back at the iPhone 5s as a milestone in terms of biometrics, strong authentication, and a wave of new types of trusted applications.

To be clear, this has very little to do with Apple, the iPhone, or Touch ID per se. As an analogy, few people (other than we industry history geeks) know about the Altair 8800, but many researchers believe that this microcomputer launched in 1975 unleashed the PC era and with it the introduction of Compaq, Dell, Intel, and Microsoft, and the associated changes they made to business and the world.

I believe the iPhone 5s Touch ID will have the same type of industrial and societal impact over time. Why? The new iPhone is the first device to align IT consumerization with the commodification of biometrics. Yeah, I know that some Dell and Lenovo PCs have thumb print readers too, but distribution and deployment has been limited. Alternatively, the iPhone 5s (and an emerging army of HTC, LG, Motorola, Nokia, and Samsung Android-based devices) will put biometrics in the hands of billions of consumers over the next few years.

Okay so what does this mean? Well now you have endpoints instrumented with strong authentication and a foundation for PKI. This could truly lead to the end of ridiculously insecure technologies like user name/passwords and American credit cards as well as expensive technologies like security tokens and smart cards.

What else? Think ubiquitous strong authentication/PKI for all users. This will certainly have an impact on the rash of identity theft. We could also (finally) implement applications for digital signing of documents and thus eliminate a lot of paperwork and lawyer fees. Our endpoints could be instrumented for asymmetric encryption making document exchange and storage more secure. Moving beyond this, think about applications like online voting, smart passports, greater anonymity, etc. This could also accelerate the whole “Internet of Things” movement by making tablets and smartphones secure data collectors and actuators. Finally, visionary financial services companies like Charles Schwab, and PayPal will make digital wallets and micro-payments a reality as they kick sand in the face of avaricious credit card providers like MasterCard and Visa.

So the future looks bright but don’t reach for your shades just yet. A German hacking group already announced that it hacked Touch ID, so before we fall into a state of biometric ga-ga, we better make sure that these endpoints are secure. Additionally, Apple needs to open up its proprietary tendencies to push biometric ubiquity as this movement will likely be way bigger than Apple, the iStore, iPhones, etc. Personally, I think Apple will have to do this over time or businesses and governments will simply look elsewhere.

For consumer biometrics to reach its potential, Apple and the industry at large must:

  1. Collaborate on standards. We need common protocols, APIs and secure transport layers so any device can take advantage of a massive-scale, consumer-focused back-end infrastructure. The Fido alliance has great promise here and already includes a diversity of members including Blackberry, LG, Lenovo, and PayPal. Apple should join the party.
  2. Marry hardware and software. Touch ID provides strong authentication for users so now we need similar technology for the devices themselves. This was the goal for the TPM chip but its clunky software architecture has kept it in the strong authentication doghouse for the past decade. The Trusted Computing Group, Intel, ARM, and others should alleviate this mess by developing a common – and useable – architecture here. Note to Intel on this: Assess whether Identity Protection Technology (IPT) really makes market sense or is just another proprietary boondoggle that won’t gain mass deployment. If it falls in the latter camp, opt for a more open model.
  3. Become privacy advocates. The down side of strong authentication and PKI is the potential impact on privacy. This is especially sensitive due to the recent revelations about the Orwellian NSA programs. Consumer biometrics providers need to become privacy advocates and push back on government snooping/tampering like the industry did in the 1990s toward the NSA-driven Clipper chip.
  4. Champion NSTIC. While it’s okay for the industry to thumb its nose at the NSA, it makes sense for the industry to work with the Feds on the National Strategy for Trusted Identities in Cyberspace (NSTIC) as this could accelerate trusted application development/deployment in the public and private sector.

In a few years, our smartphones will literally open doors for us. When they do, remember that Apple and its iPhone 5s Touch ID was the digital key that made this possible.

Topics: Cybersecurity Enterprise Mobility