Apple Buys-In – Will Biometrics Now Go Mainstream?

Yesterday Apple announced their latest iPhone 5S with Touch ID, a capacitive fingerprint sensor plus home button built in.  Apple says that Touch ID is a “security” function that also adds simplicity (ie. no more passwords).  During the iPhone 5S launch event, Apple indicated that only half of all current iPhone users implemented the passcode function on their iPhones, suggesting a security hole existed that has now been closed.  Touch ID, according to Apple, can be used for unlocking your phone and to make purchases in the App Store in iOS 7.

With the purchase of AuthenTec last year, we were not surprised that fingerprint functionality became part of Apple’s products.  The questions we all had was how quickly and which product first.  Now we know that at least iPhone 5S will include the technology. Does that mean iPad will get it next? It would be a natural conclusion based on how the two Apple devices have shared or inherited technology and feature/function in the past.

Another natural question for iPhone application providers is whether Touch ID can be leveraged for their particular application such as for in-app purchases, or to secure specific access to their application or specific functions within their application.  Although not yet made clear by Apple publicly, I would argue Apple’s answer is ‘yes’ as a part of the iOS 7 developers’ kit (or a future update). Touch ID could likely function as a black box to the application answering with simple yes or no (match or no match) answers regarding whomever’s finger is on the sensor at the moment.  Touch ID might also pass back some unique identifier for the person that could be matched up with an inputted claim, assuming multiple people can be enrolled in Touch ID.  Web applications could have access through a locally installed native app running on the device (a mini-app acting as an iOS plug in of sorts to interact with the web app).

Exactly how an application can and cannot interact is still unclear except for some information that was revealed in the Apple Touch ID video located on their site (it should be noted that it is the first video that plays from the iPhone 5C main page).  The video reveals that only Touch ID can access the personal biometric data (and other related identity data) stored in the “secure enclave” in the A7 chip.  Apple is very clear that ONLY Touch ID sensor has access this data and the data will not be backed up to Apple servers or to iCloud (and by extension, or to your Mac or PC).

Prior to their acquisition by Apple, AuthenTec allowed registered software partners access to a subset of commands controlling their sensors including access to live imagery coming from the sensor.  This allowed third party biometric software technology vendors to take advantage of sensors shipped built-in to various devices such as phones, tablets and laptops for their own customers’ purposes (instead of being required to install a second device). This enabled the AuthenTec devices to be used in a variety of applications, including thin client and smart client applications hosted on servers via the Internet or private networks.  This enabled many different fingerprint verification and identification algorithms and functions provided by these 3rd party software and systems to run on the device, on a server or in the cloud.  

Whether Apple will also allow partner access to live imagery and other needed sensor controls on Touch ID is yet to be seen.  This may require tapping into the secure channel that allows Touch ID to talk to the secure portion of the A7 processor, which would create a vulnerability that could be compromised.  Otherwise, a separate set of commands and communications channel (maybe even a separate chipset) would need to be provided that would be isolated from Touch ID’s internal command set and communications.

A key follow-on question that remains is how Apple’s buy-in to utilizing biometrics in their iPhone will influence others to buy-in alongside.  Certainly on the mobile application provider side, some may follow and take advantage of Touch ID built into the iPhone (and maybe a future iPad) and build native applications that could spur usage.  

However, for mobile application providers that want to work across other fingerprint-enabled devices and operating systems (such as those that ship in other countries or other future devices from Apple’s competitors), managing the many varied and proprietary OEM/embedded interfaces and functions could become a real nightmare due to 1) any lack of standards adoption, 2) the variability in performance and resilience, and 3) the many sophisticated proprietary technology and software routines used by these various embedded device vendors.

For other biometric technology, SDK and framework vendors to take advantage of the iPhone’s hardware, the jury is still out. The tight security controls in Touch ID may leave those vendors out of the running, and therefore limit additional applications to be built that utilize Apple devices.  Apple’s own proprietary sensing, processing and matching technology may be the only option for application providers wanting to use the built-in Touch ID sensor hardware.

For the biometric industry in general, however, the adoption of biometrics by Apple, a company that prides itself on quality assurance the first time, may spur new investment, application adoption and usage.  If Touch ID works well and adds real value, users may be willing to give up their fingerprints and other biometrics elsewhere.

I am eager to see how well older persons’ and hard workers’ fingers work (or do not work) with Touch ID, as dry and worn fingers have been a problem for these sensors in the past. I am also eager to see how many independent attempts to hack and spoof the Touch ID sensor are successful, as liveness detection continues to be a concern as we leave our fingerprints everywhere we go.  These two factors will affect whether adoption will occur elsewhere, including how other fingerprint hardware vendors perform under the same conditions.  Let’s hope Apple did all the right testing and quality assurance before they launched so these factors become irrelevant (for at least Apple devices anyway).