A fingerprint sensor has been built into Apple's latest iPhones, but what will this mean for enterprise security?
Apple’s influence on the smartphone market is undeniable, and this technology addition may lead to a revolution in smartphone security as others adopt similar technologies. But what does fingerprint security mean for the enterprise?
Dave Birch, director of Consult Hyperion, believes the feature is less about security and more about convenience. He said the fingerprint sensor will save users time, as they will no longer need to swipe their home screen and enter a four-digit pin to access their phone.
Apple’s new flagship device, the iPhone 5S, features a 500ppi fingerprint sensor in the home button of the device, which scans sub-epidermal skin layers. The addition is not particularly surprising, after Apple's July 2012 acquisition of Authentec, a mobile security company which specialises in fingerprint sensors.
The iPhone 5S is not the first smartphone to include fingerprint sensor technology – Motorola’s Atrix was, in 2011. But while the fingerprint technology is not new, Apple’s brand name and dedicated following could take the technology mainstream and inspire other manufacturers to add it to upcoming devices.
If successful, it is likely to move the industry away from passwords to biometric user authentication methods, but some argue that it is a sales tactic, rather than a robust addition to security.
Biometrics just one layer of security
two-factor authentication experts argue that biometrics should just be part of the way a user is identified.
Apple’s brand name and dedicated following could take fingerprint sensor technology mainstream and inspire other manufacturers to add it to upcoming devices
"A single factor, whether it’s a Pin (something you know), a smartphone (something you have), or a fingerprint (who you are), is not enough on its own. The iPhone’s fingerprint sensor is a significant step, but not a silver bullet,” said Thomas Bostrøm Jørgensen, CEO of Encap.
“Hacking a fingerprint may sound as if it’s only possible through rather gruesome means, but it is very possible to steal fingerprints through more social methods – lifting a print from a discarded coffee cup is no more science fiction than the fingerprint scanner itself,” he said.
But the technology does represent another step towards better smartphone security. This has become a growing concern as the devices become more regularly used to access data in the enterprise.
Richard Moulds, vice-president of product strategy at Thales e-Security, said the introduction of biometrics has raised the bar for personal security.
“The potential exists to not only protect access to the phone and the apps directly associated with it, but also to open up the prospect of strong authentication to a plethora of third-party services accessed from the phone, such as home banking and e-commerce,” he said.
Closing the door on developers
But Apple said it has no plans to allow the Touch ID sensor to be used for more than unlocking phones or verifying iTunes purchases. This is because the tech giant has not given the developer community access to the technology.
Apple chief Tim Cook indicated that the company may look for other uses for the sensor first, before opening it up to the developer community.
Given the history of fingerprint scanners on laptops and successful attempts by security researchers to bypass such systems, Apple is likely to wait until the technology is proven and widely accepted before opening it up to the wider developer community.
Tony Cripps, principal device analyst at Ovum, said that while the additional security at the authentication layer may provide some additional comfort level to enterprises, they will have very little control over how it is used.
More on mobile security
- Enterprise mobile security by the numbers
- Researchers warn of “huge” Android security flaw
- Network connectivity, security issues hinder mobile strategies
- Rapid malware growth for smartphones, reports G Data
“If Apple was to supply the APIs, then presumably at that point it does become possible to incorporate that into a device management suite,” he said.
Alex Mesguich, vice-president of enterprise research at Context, said the technology could facilitate the bring your own device (BYOD) trend in the workplace. He added that further down the line, if Apple allows developers to program external applications – organisations could use this feature to identify their employees before sending important information to the device.
Over time, if Apple opens up the technology and provides an application programming interface (API), third-party developers will be able to build in hooks that can integrate the device with corporate security. In the meantime, however, it seems that the fingerprint sensors will be seen as an additional security layer for devices.