Apple introduced Touch ID along with the iPhone 5s and iOS 7 last fall. At launch, the technology was limited to two purposes – acting as a shortcut for a user’s passcode to unlock the device, and acting as an alternative to a user’s Apple ID and password when making purchases from Apple’s iTunes Store, App Store, and iBookstore.
With iOS 8, Apple is expanding the capabilities of Touch ID significantly by giving developers the APIs needed to use Touch ID as an authentication/authorization method in third-party apps. This is a powerful expansion of the technology, and one that could be applied to a wide range of different types of apps.
It’s easy to see the value of Touch ID in mobile commerce apps, as well as in mobile banking apps - PayPal was one of the first companies to express an interest in integrating Touch ID into its app and services. Password managers like 1Password from Agilebits are also prime uses for the technology. Apps that store confidential or sensitive information — like health and medical apps — can also benefit from integrating Touch ID.
Business and productivity apps, especially those designed to provide secure access to a company’s corporate resources and cloud services, are also areas where Touch ID could be implemented. That raises questions for IT leaders in many organizations to ask themselves:
- Is it a good idea to build Touch ID into our internal apps?
- Should we allow, encourage, or support Touch ID in apps from cloud storage and collaboration vendors?
- Are there reasons to avoid Touch ID, either in enterprise or third-party apps?
Given that it seems almost certain that Apple will expand the well-received TouchID to any additional iOS devices launching later this year, these aren’t hypothetical questions. They’re questions that organizations will likely face as soon as Apple releases iOS 8 this fall.
Touch ID and the Secure Enclave
At a hardware level, Touch ID includes two primary components: Touch ID Sensor, the fingerprint scanner built into the device’s home button, and the Secure Enclave, a coprocessor that is integrated into Apple’s A7 chip. The Secure Enclave is connected to the Touch ID Sensor and is responsible for processing fingerprint scans. Each Secure Enclave has a unique identity (UID) provisioned during the A7′s fabrication process that cannot be accessed by other iOS components, and that is unknown even to Apple.
Touch ID is actually just one function of the Secure Enclave. Additional functions like cryptographic protection for data protection key management were identified in the iOS Security Guide that Apple released in February. Additional details were discussed during the Keychain and Authentication with Touch ID session at Apple’s Worldwide Developers Conference last month, which can be streamedfrom Apple’s developer site (and a PDF of the presentation slides from the session is also available). Going forward, it seems clear that the Secure Enclave will be a key part of iOS security functions, beyond merely handling fingerprint identification.
It’s also worth mentioning that although the Touch ID Sensor is currently only available on the iPhone 5s, the additional functionality of the Secure Enclave is built into any iOS device with an A7 chip, which currently includes the iPad Air, iPad mini with Retina Display in addition to the iPhone 5c, opening the door for more security features down the line.
Touch ID and a user’s passcode
Apple hasn’t envisioned Touch ID as a standalone biometric authentication system (or part of a multi-factor authentication solution). That means that it isn’t a replacement for a passcode. An iPhone 5s user must supply a passcode to enable Touch ID and once enabled, Touch ID is effectively a shortcut or pointer to a passcode.
The value that Touch ID offers is that it boasts the benefits of a complex passcode without the hassle of typing it dozens or hundreds of times a day – it makes a complex passcode easier to use.