If opened to app developers, Apple's Touch ID could give another authentication option to agencies looking to manage mobile devices, especially if other smartphone manufacturers follow suit.
Apple’s new iPhone 5s arrives with a feature that could be of interest to government users: a fingerprint scanner built into the home button. Called Touch ID, the scanner stores encrypted fingerprint data on the phone — as opposed to on an Apple server — and separate from other data and software in an isolated area of the phone’s A7 chip.
The company is touting the Touch ID as a convenient way to unlock the phone or conduct transactions on Apple’s online stores without having to deal with PINs and passwords. But that extra layer of security also could come in handy for government and other public-sector employees who need to use two-factor authentication.
In the federal government, that second factor often is an ID card such as the Personal Identity Verification card at civilian agencies and the Common Access Card in the military. But it’s the rare mobile device that has an ID card reader, and vendors and the National Institute of Standards and Technology have been looking for alternatives.
NIST just released FIPS 201-2, the latest version of the Federal Information Processing Standard for PIV cards, which allows for PIV credentials to be used in a variety of forms factors with mobile devices. And last year, the agency — in concert with the FBI and Homeland Security Department — developed specifications to allow biometric data sharing among mobile devices, published as Special Publication 500-288.
Whether Apple’s Touch ID can work within public-sector security platforms remains to be seen. Although Apple has yet to open its platform to app developers at banks, security providers and payment companies that have expressed interest, according to the Wall Street Journal, Touch ID adds another authentication option for mobile devices, whether agency-issued or BYOD. Agencies have been going mobile for some time, buying iPhones, Androids and BlackBerrys, while working on policies that would allow employees to use personal devices on the job.
An effective fingerprint reader could help. And if Apple’s proves to be effective, it’s likely that other device-makers will follow. Motorola included a fingerprint scanner in 2011’s ATRIX 4G though it failed to catch on. But at least one Android device reportedly will include fingerprint scanning when it’s released later this year.
Of course, the critical question is how well Apple’s fingerprint scanner works. The website ReadWrite reports that the new Home button sits inside a circular ring that detects a finger and tells the scanner to get to work. The scanner takes a 500-pixel-per-inch image of the sub-epidermal layers of the skin and analyzes micro points in the fingerprint to confirm authentication.
Touch ID can scan more than one finger from a user, as well as scan multiple users for shared devices. Apple also says it can read fingerprints from any angle.
The technology is likely more secure than a four-digit PIN but, as Forbes reports, it’s still best used as an additional, rather than sole, authentication step. For one thing, it’s new, so users should be wary of trusting it off the bat. For another, hackers have found ways to defeat fingerprint protections. Forbes notes that a stolen phone would be covered with the user’s fingerprints and that researchers have found ways of lifting those fingerprints and then using them to fool the scanner.
But public-sector users are likely to be using two-factors anyway. And if the iPhone 5s is a sign that biometrics are moving to smartphones, it gives them another option, even if it will be a while before that option can be fully trusted.