What the iPhone 5S could mean for Strong Authentication

With today’s announcement by Apple of the new iPhone 5S, featuring Touch ID, their embedded fingerprint sensor, we are seeing an important change in the modern authentication landscape. Some of the details are still to emerge, but this is the first example of the potential for large-scale mass-market mobile biometric authentication. So what does this mean for both the industry and consumers?

It is important to recognize Apple’s commitment to strong authentication by allowing their customers to authenticate in a simple and secure fashion. Just as Apple has previously been a leader in driving the market for mobile applications, they are now in a position to securely identify their customers, allowing seamless and secure access to devices, app stores, and potentially in the future, 3rd-party sites.

The broad requirement to strongly authenticate users has become critical to the continuing growth of Internet services such as cloud storage, mobile commerce and payments. Online services are currently protected via simple and insecure passwords, or limited SMS 2-factor schemes, that continues to create a huge problem for the industry. We all have a large number of sites and applications that we interact with online – to pay bills, shop, store our music or photos. All of these sites have different password requirements – multiple characters, secret words, additional dates to remember – it’s no wonder that many of us have given up, re-using passwords across multiple sites or defaulting to simple phrases. 

The problem with password re-use is that it represents a security disaster. If I use the same credential across multiple sites then no matter how much money and resources a company invests in their own information security, that security effort will only be as good as the other sites that share the common password. 

This problem has been exacerbated by the huge number of large password databases that have been hacked over the last 18 months – we’ve seen Yahoo, LinkedIn, Evernote and many others that have suffered at the hands of hackers, and academic research has shown that more than 76% of the passwords across these large databases are the same. Hackers know this and can exploit these common passwords, resulting in data breaches for businesses and the potential for identity fraud for consumers. 

Consumers also recognize the weaknesses with this model and ask questions of their service providers. Research conducted by the Ponemon Institute, which we sponsored, shows that consumers do not trust sites that only rely on usernames and passwords. It also shows that there is a growing appetite for using biometrics as a stronger form of authentication, something Apple had anticipated with their acquisition of Authentec last year.

So Apple now has an embedded Fingerprint Sensor (FPS) that it can use to bind a user and a device, reducing the risk of fraud and improving the customer experience within the Apple walled ecosystem.  But,what about the rest of the Internet? 

If we look at the latest figures from IDC, Apple has a market share of 16.9%, potentially rising to 17.9% by 2017. This means that 82-83% of mobile phone users are not currently using Apple devices to go online.

The challenge, therefore, is to come up with a method that allows access to all online resources easily and securely, whether we are using an iPhone, an Android device, or a Windows PC. Only a unified approach, that supports all different device manufacturers, operating systems, browsers and security technologies, can meet the requirements of the modern computing age.

This is why Nok Nok Labs is a founding member of the FIDO Alliance, an industry non-profit working group, focused on building strong authentication unified protocols to meet the requirements of all devices and all types of users.

Together with PayPal, Google, BlackBerry, Validity, Lenovo and many others – we are working to build an authentication framework that supports a wide range of different authentication technologies (fingerprint, voice, face, secure PIN, USB device, etc.) using any device to securely identify a user and allow more natural access to online resources. 

Nok Nok Labs is shipping technology today for IOS, Android and Windows clients, and supports a wide range of authentication technologies - biometrics such as Fingerprint Sensors, Voice and Facial recognition, as well removable USB devices, secure PIN entry, as well as many others. We look forward to continue working with our partners to ensure that all devices are able to support many different strong authentication capabilities. Only then will we have an authentication ecosystem that modern businesses require and the modern consumer deserves. 

Further resources:

Apple’s video introduction to Touch ID
http://www.apple.com/iphone-5s/videos/#video-touch

Bruce Schneier on whether the iPhone fingerprint sensor can be hacked
http://www.wired.com/opinion/2013/09/what-if-apples-new-phone-has-fingerprint-authentication/

Apple iPhone Fingerprint Scanner Could Lift Authentication Market
http://www.crn.com/news/security/240161090/apple-iphone-fingerprint-scanner-could-lift-authentication-market.htm?pgno=1