Apple Corp. introduced the latest versions of its iPhone mobile phone yesterday to great fanfare, though the fever pitch that was common during the reign of Steve Jobs was noticeably absent. There were a flurry of articles and opinion pieces like this one, wondering whether Apple had lost its mojo, were common. And it goes without saying that if the headline is wondering whether you’ve lost your mojo, then you most certainly have.
Still, Apple didn’t disappoint with its iPhone and iOS updates, particularly in the security arena. Indeed, the long-rumored addition of a finger print reader may have been the most prominent new feature in an update where the most prominent changes (a faster, 64-bit processor, higher resolution camera, etc. ) were transparent to the user.
So what do you need to know about the new iPhone and its biometric authentication feature? And how will the new iPhone 5S and its downmarket cousin, the 5C impact Apple’s story vis a vis the Internet of Things? Here are some thoughts.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
Touch ID – Apple Adds Fingerprint Authentication
When you write about security all the time, its easy to become blinded to the importance of what seem like incremental developments, or twists on stories you’ve been covering for a long time. I think this may prove to be the case with Touch ID, Apple’s fingerprint authentication feature for iPhone 5S. Sure – fingerprint scanning isn’t even close to “new” or “cool.” PC makers were putting it on their enterprise systems as long as ten years ago. The results were never great – the readers, themselves, were unreliable, prone to breaking and difficult to manage. Besides, in a threat environment dominated by exterior threats like worms, viruses, application-based compromises and denial of service attacks, locking down physical devices with biometrics wasn’t a top priority for most organizations.
But mobile devices are another matter entirely. Survey after survey has identified device theft and loss -rather than malware – as the biggest security threat mobile devices pose to both individuals and organizations. Add to that the fact that between 30 and 70 percent of mobile phone users don’t secure their device with a password, and you have a major problem. By all accounts, Apple’s integration of the fingerprint scanning technology the company purchased with the firm Authentec in July of last year is first-rate – with the scanner integrated into the 5S start button and the scanned print encrypted and stored locally within a secure container in the device’s new A7 processor. That alleviates very real concern about Apple hoarding biometric data on users to accompany all the other personal data it has.
And finger scanning does more than answer the lost device problem – it also promises to improves user experience by reducing the time required to get a locked device unlocked and ready to use. So its both more secure and more user friendly – a rare combination.
Finger Scanners – No Panacea
Of course, biometric data is no panacea. For one thing, Apple’s implementation of Touch ID is limited. The technology only works on the 5S, so existing iPhone users won’t get it. And, as Graham Cluley notes on his blog, the technology will only be used to secure the device itself, and approve purchases through Apple’s main e-commerce portals: iTunes, the App Store and Apple Bookstore. Third party applications won’t have access (for now) to the fingerprint authentication option. That means all non-Apple applications running on iPhones will still require a separate password.
And, as the inestimable Bruce Schneier points out in this blog post, fingerprints aren’t exactly a secret (“you leave them everywhere”) and previous generations of fingerprint readers have proven to be susceptible to hacks – everything from simple photocopies of your print to the dreaded “Gummi finger.” They’re also prone to false-negatives, especially given the natural variations in skin plasticity during the day (dry weather, humid weather, exposure to water). To compensate, Schneier says, Apple and others will likely err on the side of “false positives” to avoid shutting legitimate users out of their phone – opening the technology to the possibility of approving invalid logins.
Touch ID Will Be A Big Boost For Biometrics
It’s easy to make a lot of those limitations. But even taking them into account, I think that Apple’s decision to get behind fingerprint scanning with its 5S and – going forward – other iPhone and iPad models gives enormous exposure to the technology that far exceeds anything we’ve seen. Barring gruesome complications with the roll-out, millions of users will soon get in the habit of swiping a finger to access their mobile device. With that, we’ll all soon get acclimated to the notion of using a biometric and that, in turn, will give a green light to other application and device makers to consider using the technology, as well.
We saw the same “tipping point” happen with multi-factor authentication, which languished for years with limited adoption (online brokerage firm eTrade was an exception), but then became widely used by online platforms (Google, Twitter, Facebook, mobile banking) when paired with technologies that consumers were comfortable with: mobile devices and SMS.
With consumers comfortable with the concept of biometrics, the door opens, as well, to other kinds of biometrics. As the New York Times notes: those are fast multiplying and include everything from heartbeat patterns to brainwaves. With users securely and uniquely matched to their mobile device, possession of the mobile device itself can become a token to unlock further resources – both on the Web and in the (growing) Internet of Things.