Apple's decision to include a fingerprint scanner in its new iPhone 5S is an important step toward bringing biometrics-based authentication into the mainstream. But there's still a long way to go before biometrics supplant usernames and passwords at the enterprise level.
Owners of the new phone can use a fingerprint to physically unlock their devices instead of using a numeric passcode. Apple will also let users confirm purchases from the iTunes store by swiping a finger on the sensor.
Apple executives have not yet revealed whether they will allow third-party developers to take advantage of the new TouchID fingerprint technology to build biometrics-based authentication into their apps. While TouchID is an important milestone toward getting users comfortable with using biometrics as an authentication credential, the technology has to expand beyond the Apple universe before it can truly be considered a game-changer or a significant security breakthrough, experts say.
Mobile Device Trends
Biometrics authentication is not new to the mobile space. Some laptop vendors, including Lenovo, have included fingerprint readers in their devices for several years. Plus, a number of smart phones and tablets already incorporate biometrics to authenticate users. And security vendor McAfee recently introduced an online file storage service that relies on voice recognition to authenticate users.
But all of these vendors use closed, proprietary models, which has made it difficult for biometrics to gain traction in the marketplace, experts say.
Market penetration for PCs and laptops with fingerprint sensors is about 20 percent, according to the FIDO Alliance, an industry group focused on open standards for authentication.
Even if a majority of iPhone users opt for the iPhone 5S, overall smart phone market penetration for fingerprint scanners will remain low, considering that research firm IDC estimates Apple has about 17 percent smart phone market share.
"We need solutions that include all of the different existing platforms - Windows, Android, Linux, as well as considering all types of authentication technologies, such as voice, face, and secure PIN," says Phillip Dunkelberger, CEO of Nok Nok Labs, an authentication technology firm that's a member of the FIDO Alliance.
Even so, Apple adding the fingerprint reader to the new iPhone could lead other vendors to follow suit. The iPhone's popularity and its reputation as a trendsetter could help more consumers feel comfortable with the idea of using fingerprint scanners on a regular basis. And once they are used to the idea of fingerprint scanners, other types of biometrics won't be far behind.
TouchID is the "first example of the potential for large-scale mass-market mobile biometric authentication," Dunkelberger says.
Improved Physical Device Security
Even if Apple keeps TouchID as a closed system, enterprises can derive an immediate benefit from the iPhone 5S.
As mentioned during Apple's launch event, only about half of smart phone users apply a passcode on their devices. This is a significant risk to organizations in the bring-your-own-device world; it means a significant number of devices containing sensitive corporate data or offering access to corporate systems are vulnerable. The risk of a data breach lessens among employees carrying new iPhones, because the process of locking and unlocking the device with a fingerprint is much simpler than setting a passcode.
"The first rule of security is if the attacker has physical access to your device, then the device is no longer yours. However, the use of biometrics has the potential to make it more difficult for the attacker which can significantly reduce the impact of lost or stolen phones containing enterprise data," says Ryan Hurst, chief technology officer at GlobalSign, a certificate authority company.
As more consumers get familiar with biometrics technology, more enterprises may consider applying the technology to secure their systems. Organizations eventually will look at their own infrastructure and determine how to strengthen existing applications and systems with additional forms of authentication, Hurst says. While usernames and passwords will likely never be eradicated, adding additional layers of authentication, such as biometrics, could become far more common.
One of the reasons biometrics hasn't gained much momentum is because of the perception that the technology is complicated or inconvenient. That perception could change as use of the iPhone 5S TouchID grows.
Increased confidence and trust in biometrics among users could help the technology take off in a variety of areas, including online banking, mobile payments and single sign-on for certain applications and services. And the shift to biometrics could eventually enable organizations to extend their identity and access management strategies to cover mobile devices and applications.
But if users of TouchID get the impression that the technology is unreliable, they will turn it off, says Paul Henry, a security and forensic analyst with Lumension, an endpoint security company. And that could hurt progress toward wider adoption of biometrics.
So it's way too early to tell whether the iPhone 5S biometric security system will be a game changer, Henry says. For now, however, biometrics is in the spotlight thanks to Apple's newest smart phone.