Is everybody ready?
This week, David Braue and John Fontana debate the future of fingerprint sensors. Are they the answer for online security?
David Braue
Yes
No
John Fontana
The moderator has delivered a final verdict.
IT managers face a huge threat to global security: lazy users. The latest Microsoft Computing Safety Index (MCSI) confirms that – despite decades of both watching spy movies and being begged and browbeaten to follow company security policies – users still can’t be trusted to do the right thing.
They simply will not inconvenience themselves for security, so their smartphones are sitting ducks – and so is their employers’ sensitive data. Touch ID is the first real hope of fixing this, since even security-oblivious idiots aren’t likely to lose their fingers.
It's gimmicky and limited in its initial release, but its potential to revolutionise information security (not to mention e-commerce) is significant. Apple’s history suggests it will steadily expand the Touch ID API over time – allowing mobile device management (MDM) platforms to mandate fingerprint scanning for access to devices, or even to individual applications. It could also be used for de facto sandboxing by managing multiple user profiles – each with tight app and resource access controls.
Because fingerprints are non-repudiable, they provide legally enforceable audit trails of access to corporate systems, enterprise apps, and the like. They may not stop a mugger from hitting an employee over the head with the phone, but in all other respects widespread and consistently good fingerprint scanning is the biggest step forward in mass-market user authentication in more than a decade. If this doesn’t improve mobile security, nothing will.
The mobile fingerprint reader game is already off track. (See 2011. Motorola ATRIX 4G.) So Touch ID: not unique, not a game changer.
But hooray, Apple just eliminated two passwords from the stuffed cache of credentials the average user maintains. And on a device that averages 41 applications per user.
In a world defined by connectivity and single purpose apps, Apple's authentication entry is a consumer toy. In the enterprise, a germ tray. With zilch connectivity to backend ID and access management systems or cloud applications, what should be a security improvement and second-factor is neither.
And without an SDK, developers that made the App Store explode won't be able to lift a finger to raise Apple's security profile above a whimper. If Touch ID ignites the same closeted authentication engine mentality among other device vendors, it should ensure the death of secure cross-environment, cross device connectivity the cloud requires.
See also:
This week, David Braue and John Fontana debate the future of fingerprint sensors. Are they the answer for online security?
Fingerprints are the best answer today.
I am for Yes
It's a toy.
I am for No
Fingerprint recognition has been around for a while, but hasn't exactly gone mainstream. Do you think Apple can popularize it and make it mainstream---and even rid us of passwords?
I had a laptop with fingerprint scanner a decade ago, but its software had very few uses beyond logging me in and creating a secure file-storage area. The technology works, but the key to making it work well lies in the software. And, as we all know, when it comes to software, Apple makes magic with frightening regularity.
Once the inevitable fingerprint scanner-equipped iPad, MacBook Air and MacBook Pro have dropped by year’s end, most of the world’s most popular mobile devices will be fingerprint-enabled and part of the mass consciousness. Expanded APIs in iOS 7.1 will give application developers tightly managed access to the fingerprint scanner, and eventually we’ll be using our fingers to log into apps and Web sites instead of using passwords.
I am for Yes
If we had a nickel for every authentication scheme that was going to replace passwords, we could buy a lot of iPhones. It is well documented that biometrics is by no means a panacea. Passwords can be revoked/changed. Biometrics once compromised are forever compromised, argues Dave Aitel , CEO of Immunity.
Think about that for a second if you have ever had to change a password. Think about that as you plan to re-use your fingerprint "passcode" across services and applications. Cost and weakness in the current fingerprint technology, such as security implications of digitally stored fingerprint images, have conspired to keep readers out of the mainstream. Apple may expose more people to the convenience, but it also will surface questions and concerns. Users don't buy fingerprint readers, they buy applications. Until developers can tap into Apple's technology, what Apple has is a pilot program.
I am for No
What do you see as the implications for Touch ID and the enterprise? What's the effect on bring your own device?
Because it’s completely idiot proof, fingerprint scanning will be crucial to legitimizing BYOD as an acceptable mobile-device philosophy. Assuming Apple builds bridges to corporate Active Directory databases – and sets or supports open identity standards that add fingerprints to the panoply of acceptable user authentication techniques – Touch ID will quickly become the preferred, and mandatory, way of securing mobile devices.
While it offers a strong degree of protection on its own, it’s also worth mentioning that fingerprint scanning is especially useful for high-security environments – where it can be used along with a password or other authentication method as a second method of two-factor authentication. And who’s to say that you only need to scan one finger for access? It won’t be long before your super-secure system is accessed with a password like right-index, left-ring, right-pinkie, left-pinkie, left thumb. Take that, cybercriminals!
I am for Yes
Touch ID is a non-starter in the enterprise. BYOD negates hardware cost factors if users have iPhone readers, but enterprise security is a back-end software game. The backend is where critical pieces must be in place to realize an enterprise win. Currently, Touch ID has no way for the enterprise to tap the technology into their identity and access management systems (IAM).
Rumors are swirling that Apple may support ID standards like SAML and OAuth in iOS7's enterprise single sign-on (SSO) features, but how that relates to Touch ID is unknown. In fact, iOS7's SSO and Mobile Device Management pieces have more chance to impact enterprise BYOD then Touch ID. Enterprise appeal is not a wash, however, (more locked devices) but game-changing IT benefits tied to Touch ID won't come without mass iPhone adoption. But don't hold that hope. Pew Research numbers show
Andriod winning the smartphone battle against iPhone in categories based on age, ethnicity, education and income.
I am for No
What are the strengths of fingerprint recognition technologies?
They rely on something we all have, cannot lose, and which is unique to each of us. This makes them both convenient and reliable for user identification – particularly if they are well integrated into the operating environment so they feel more like a natural, built-in feature than an add-on gimmick.
They are also, despite what you see in the movies, difficult to spoof – as long as the sensor has ‘liveliness detection’ – meaning that it’s designed to detect a pulse or other biologic signature to ensure the fingerprint is attached to a living person.
Furthermore, they’re impossible to reverse-engineer: despite all the hoopla about privacy and fingerprint theft, scanning is a one-way process. Once the scanner converts your fingerprint into a unique code, there’s no way to turn that code back into an image of the fingerprint. And, considering how Apple has secured Touch ID fingerprint hashes inside its chips, you’d struggle to access those codes in the first place.
I am for Yes
It binds a user to their device, which means the device could be used as a token to help establish authentication and authorization. It begins to show the importance of authentication via identity or attributes - instead of passwords - which helps support levels of increasingly stronger authentication as you combine data points (attributes) to determine that a user is who they say they are. Fingerprints are a great improvement over four-digit passcodes. But then again, even though Apple allows users to improve its passcode system with up to 37 characters, few choose to use it. Pick your favorite survey and see how many people (some say up to 60 percent) don't even lock their phones. (Yahoo CEO Marissa Mayer, we're looking at you.)
Think about how many people will forget their passcode when their inevitable Touch ID reset happens (reboot or dormant for 48 hours). How important security becomes for individuals ultimately determines the strength of any authentication technology.
I am for No
What are the weaknesses?
Fingerprint readers can’t read well through lotions, grease, dirt, and the like. This makes them unsuitable in many industrial environments.
Also, some fingerprint scanners are relatively easy to fool, since they use optical methods to read the fingerprint and may be tricked using a printed fingerprint on a piece of paper. This is why it’s important to use fingerprint scanners, such as the AuthenTec technology that Apple acquired and used for Touch ID, with liveliness detection.
I am for Yes
Once compromised, always compromised.
Enough said. You only have 10 fingers and 10 toes. Fingerprint readers can, and have been defeated, including the gummy bear attack that lifts a print off the sticky candy. Apple's fingerprint reader is said to negate some of these fingerprint tricks but that will be confirmed only after widespread hacking. In Apple's case, cuts or scars could prevent accurate readings.
"Fingerprint recognition is not perfect," Geppy Parziale, biometrics expert and CEO of Invasivecode, a firm that develops applications for Apple's mobile devices, told the Sydney Morning Herald. Questions about fingerprints in circles outside of technology, most notably the legal arena, also raise concerns about the credibility of fingerprint "matches."
While these issues might not be relevant to all apps, financial or other transactional user authentications are another story.
I am for No
Many analysts have noted that fingerprint recognition could be a precursor to a mobile payments play from Apple. Do you agree? How would fingerprint recognition change the payment process?
There’s no question this is on the cards. Being able to register a fingerprint hash as part of, say, a PayPal account would provide a significant additional layer of security when conducting transactions. Apple is already using this sort of functionality by allowing iPhone 5s users to scan their fingerprints when buying apps; expect this capability to be expanded into new areas at Apple’s leisure, then eventually to third parties once Apple gets around to expanding its API.
Once credit-card issuers get in on the game, you’ll be able to register your fingerprint with your bank and add another important verification layer to any online purchase. Loyalty programs, government services, or even just games would all be more readily accessible. Another great usage model would be to allow the iPhone or iPad to support multiple users, each with different access and application rights: under this model, your son might be able to play certain games on your phone, but could be banned from accessing corporate app clients or even just movies above a certain rating.
I am for Yes
Yes, I agree. Fingerprint authentication binds a user to the device as mentioned previously. That is one important step when that device is used for mobile payments. But Apple's big miss so far? Lack of support for NFC. Samsung and Visa set the industry tone earlier this year with their NFC-based mobile payment partnership.
Apple has pieces in place, re: Passbook, to support retail transactions and loyalty for Apple users. Apple's iOS7 contains iBeacon, which is part of Apple's retail strategy, but details were not discussed at the iPhone 5s launch. Fingerprints are not a precursor to success as the debacle around former payments darling Pay by Touch shows - value determines success.
Apple could make its bid for significant change if the FIDO Alliance gets its act together on a protocol that leverages existing device hardware (TPM chips, NFC, One-Time Passwords), along with biometric devices. Why? PayPal's CIO, Michael Barrett, is FIDO's president.
I am for No
Given that Siri has been so-so and Apple's maps foray was an initial mess, are you confident that Touch ID will be perfect?
In this case, one rotten Apple doesn’t necessarily spoil the bunch. Sure, Siri has the same hit-or-miss, love-her-or-hate-her tendencies as your mother-in-law, and Apple Maps was only accurate if you closed one eye, squinted and brought your phone inside of your focal range until it went blurry. But Apple Maps is getting better – just check out the eye-popping 3D in a major city near you – and it occasionally even recognizes a street I want to go to. Things are looking up.
Of course, we cannot be confident that Touch ID will be perfect; its perceived efficacy will vary depending on the application, and there is always going to be some scathing review from someone whose fingerprints were burned off in a freak twerking accident, and who consequently cannot use Touch ID at all. But this is a hardware sensor, and not an all-software experiment like Siri and Apple Maps – and, remember, Touch ID is based on mature technology that Apple bought, not new technology it built. As long as Apple can interface its apps well with the sensor, Touch ID should be fine.
I am for Yes
No way. Both Apple Maps and Siri came out of the gate with noticeable limps. That is one reason Touch ID has limited scope. Apple spent three years developing this technology, and the result is a consumer grade, gee-wiz feature that fails to answer basic concerns around fingerprint technology and biometrics in general.
Apple is tearing a page from Microsoft's MO with return trips to the drawing board before technology becomes solid. Will consumers and IT invest in multiple revisions of Apple devices with hope the third time is a charm? Touch ID is a single step from gimmick given its limited functionality; potential is there, but perfection seems fleeting since it aims at a moving target. Noted security guru Bruce Schneier wrote in Wired magazine that biometrics almost certainly can be hacked. But perhaps the NSA has the most telling insight "Biometric systems alone do not currently provide adequate security for high assurance applications."
I am for No
Do you anticipate other smartphone makers will have fingerprint reconition hardware and software?
It’s worth noting that most Android smartphones have favored near field communication (NFC) technology for payments authentication, whereas Apple has taken a biometric approach for payment authentication. But if Touch ID becomes popular with users, effective fingerprint scanning will become a standard feature of new phones from all makers.
Apple will be working to change its users’ habits when it comes to security and authentication, and there’s no way competitors would risk being seen to have fallen behind. They’ll have to be careful to integrate good technology rather than making do with cheap-and-nasty options, however: once you standardize on less-than-robust fingerprint scanning, you risk spoiling the user experience – and putting another generation of users off of fingerprint scanning for good.
I am for Yes
It is already available, albeit only on one other device. But if a measurable revenue stream emerges, there is no doubt other smartphone vendors will rush to market. Look how touch screen and app store concepts were copied. Apple is the new guinea pig for fingerprint readers on devices. Readers for desktop computers and laptops crashed and burned due mostly to unreliability. The industry is watching to see if the iPhone is next.
I am for No
What are the security risks and rewards for Touch ID?
It will of course become an instant target for hackers trying to reverse-engineer its capabilities. Expect them to fail, generally, although if (or when) iOS 7 is jailbroken some ingenious hackers may figure out ways to manipulate the system. But I’d wager that Apple has put significant effort into ensuring that Touch ID’s security story is robust and reliable. Its storage of fingerprint data in encrypted format, in silicon rather than in software, suggests Apple is taking the security and integrity of Touch ID very, very seriously. If it ever loses its air of respectability, it will be game-over for Touch ID.
I am for Yes
Risks:
False sense of heightened security, Apple's focus thus far on the technology and not its application, vulnerable systems, compromised systems, cryptographic attacks, network attacks, operating system attacks, image storage issues, privacy issues, and data loss just to name a few that will get IT talking and balking.
Rewards:
On-device convenience, streamlined retail transactions with Apple, potential to fit into a larger security architecture, luxury for IT to take a wait-and-see attitude.
I am for No
Where do fingerprints fit in the mobile device management stack?
They’re a natural to replace (or complement) passwords as a method of both securing devices when they’re not being used, and ensuring user identity when users try to access network resources through the device. MDM tools are all about adding a layer of control to distant mobile devices, and fingerprints are a readily available way for distant users to prove their identity – and for device managers to discern that the person using a phone isn’t the person it’s registered to. Since there is no way to guess or brute-force a fingerprint, overall trust in MDM platforms should go up as a result.
I am for Yes
MDM controls policies associated with biometrics. Those policies define what is allowed to happen when the user puts their finger on the sensor. But again, without a plan to integrate Touch ID with other systems the point is moot. Apple hasn't even made a connection with MDM capabilities in iOS7. On the flip side, MDM is just the kind of mobile support system IT would like to test drive with biometrics (and other authenticators) so perhaps that is an IT inroad for Touch ID.
I am for No
If Touch ID is that promising why do you think Apple kept it limited to the iPhone 5S and avoided the iPhone 5C?
Every sensor introduces a new cost and complexity, and the iPhone 5c was always about low(er) cost and less complexity. The iPhone 5s is now Apple’s flagship phone, so it makes sense to be the only home for Touch ID at first; think about how Apple staggered the introduction of its Retina Display into its MacBooks, and you’ll know what to expect. If the imminent, updated iPad 5 doesn’t also have Touch ID, it will be a shock. The iPhone 5c might get a scanner in a few generations, but true to Apple practice Touch ID remains a premium feature for now.
I am for Yes
The iPhone 5c is not about technology. It is about satisfying Wall Street's desire to see a competitively priced smartphone from Apple. The reaction by the market spoke volumes (stock price plunge); and Touch ID was not sexy enough, or compelling enough, to turn the tide on that disappointment.
I am for No
How do you see Apple's developer strategy evolving with Touch ID? What can be done with those APIs?
Better API access would allow developers to use fingerprints anywhere they now require user ID-and-password combinations. You could use your fingerprint to log into Skype, verify an update on Facebook, digitally sign a document you scan by photographing with the iPhone’s camera. If you were to register your fingerprint with your Twitter account, you could make sure it was impossible to post an update without also swiping your fingerprint. The possibilities are endless.
The corporate applications are also significant, and nearly all of them deal with improving access to networked systems. Deep hooks from Touch ID into enterprise authentication systems will be a natural application; however, eventually fingerprint data will become a robust way of timestamping and signing entered data, controlling remote access to virtual desktops and data-centre servers, and integrating with mobile device management (MDM) tools for stronger authentication.?
I am for Yes
Whether it's an API, a full SDK or something from the iOS Developer Enterprise Program for in-house apps, there has to be an integration strategy for Touch ID to have value outside the Apple environment. Apple gets pretty good marks for its iOS SDK, so there might be hope for credible app and IAM integration. The first entry point will be native mobile apps as cloud-based apps present too many privacy and image storage issues. There is not a Touch ID developer strategy, and CEO Tim Cook refused to even hint there might ever be one. Speculation on Stack Overflow's Question and Answer site held no hope for a Touch ID API, but yielded this speculation, "usage of the sensor, will only be done through interaction with the keychain allowing the OS to interact with the sensor, while keeping your app separate in its cozy little sandbox." The discussion was later closed.
I am for No
Can Touch ID curb iPhone theft?
Absolutely: if your iPhone is locked to only work with your fingerprint, and there is no way to bypass that control or game the iPhone-wiping system, any potential thief will quickly see that there’s no point trying to take the phone. Unless they also decide to take your finger – in which case, a lost iPhone is the least of your problems.
I am for Yes
According to Apple, an iPhone that is simply re-booted reverts to the user's four-digit passcode. And an iPhone that hasn't been unlocked for 48 hours also reverts to the user's passcode. A four-digit passcode has an average crack time of 20 minutes.
Crack the code, wipe the data and re-set the fingerprint scanner with your own print. Powned. Or more accurately, pawned.No. According to Apple, an iPhone that is simply re-booted reverts to the user's four-digit passcode. And an iPhone that hasn't been unlocked for 48 hours also reverts to the user's passcode. A four-digit passcode has an average crack time of 20 minutes.
Crack the code, wipe the data and re-set the fingerprint scanner with your own print. Powned. Or more accurately, pawned.
I am for No
Thanks to David and John for a lively debate. And thanks to you for joining us. Closing statements will be posted on Wednesday and I've give my final verdict on Thursday. You can check out the comments and add your own - and don't forget to vote.
David Braue
The resistance to Touch ID seems mainly based around the idea that “it doesn’t do everything already, so it’s a useless toy”. Sure, its limited implementation makes it a bit gimmicky now, but even as a simple password replacement Touch ID is better than security techniques most people aren’t using.
John argues that that it’s irrelevant because it lacks developer support, but this is short-sighted and unimaginative. Apple never does anything without a long-term plan, and I can guarantee it has not introduced a significant and prominent new sensor that will only function as an ineffectual toy.
It wasn’t too long ago, remember, that iOS didn’t even support multitasking. When Apple introduced that feature, it gave developers just a few multi-threaded service categories to prevent bad apps from compromising the user experience. The company knows there’s no point introducing a feature just to tick a box; poorly implemented, Touch ID could kill fingerprint biometrics’ potential forever.
That’s why Apple will steadily expand Touch ID’s relevance and capabilities by introducing the feature in the iPhone 5S, then expanding it to other devices and adding new developer hooks in iOS 7.1 and beyond. E-commerce, user authentication, gaming, whatever: give it a chance. Once users, businesses and developers get creative with Touch ID, today’s naysayers will be eating their words.
John Fontana
Speculation is cheap and that’s all that defines Touch ID’s future.
Today, it is a walled-off pilot program to scope any future uses. To believe Apple can solve one of computing’s all-time vexing issues with a single stroke of genius is short-sighted and ignores proven weaknesses in biometric readers and data, including accuracy, reliability and privacy.
How you enter your identifier is not game-changing. We don’t need another reader, we need a next-generation identity infrastructure. Think about that the next time you change your hacked password on 30 different Web sites.
What will foster authentication’s evolution is how ID and access management is federated on the back-end, including how ID traverses security boundaries, how trust is established, how tokens are issued/revoked, how user attributes are collected, stored and verified. That takes an integrated and decentralized village.
Apple lives on an island. The iPhone is a client, an end-point, an input mechanism. iPhone 5S, an authentication factor in the future? Perhaps. A game-changer? No.
Larry Dignan
Personally, I'm inclined to think Apple has found a way to popularize biometrics and fingerprint sensors, but I have to go with the argument. John simply had better arguments across the board. David put up a good battle, but the win goes to John.
Posted by Larry Dignan