Apple unveiled the iPhone 5C and iPhone 5S at a press event at their corporate campus in Cupertino, California, earlier this week, and both phones provide a noticeable number of improvements over the existing iPhone 5. The iPhone 5C is aimed at the midrange of the smartphone market, comes enclosed in a seamless (and colorful) polycarbonate case, and starts at $99 — with a two-year service contract — for the 8GB model. The more significant of the two phones is the iPhone 5S, which boasts a 64-bit A7 processor; an M7 “motion processor” that combines the functions of the accelerometer, compass, and pyrometer into one unit; and an improved camera with two LED flashes and other improvements.
While tech bloggers and commenters can argue endlessly about how significant (or insignificant) these new iPhones are, there is one new feature of the iPhone 5S that just may end up being the most important of all, and that could signal a move towards enhanced security for all mobile devices: the ‘Touch ID’ biometric fingerprint scanner, which is integrated into the iPhone 5S home button.
The new iPhone 5S features a biometric fingerprint scanner, located in the circular home button at the base of the phone. (Source: Apple)
Granted, fingerprint scanners have been available for years, and many Petri IT Knowledgebase readers may be using laptops with integrated fingerprint sensor hardware to view this article. That said, fingerprint readers have yet to make a huge appearance on mobile devices — the Motorola ATRIX had a rudimentary one in 2011 — and Apple’s demonstrated ability at taking promising technologies and filing off the rough edges to create a enhanced user experience suitable for mass consumption is legendary. Smartphones existed before the iPhone, but the iPhone was the first to truly make touchscreens usable. Microsoft unveiled a tablet computer years before Apple did, but the iPad managed to effectively combine a touchscreen, long battery life, and interface simplicity that the tablet form factor needed for widespread adoption.
“We’ve had biometrics on some mid- to high-end laptops for quite a while,” says Daniel Peck, a research scientist for IT security vendor Barracuda Networks. “But there hasn’t been a [significant amount] of adoption there… some biometrics have historically been finicky, but from a security perspective this could be a really good thing.”
Peck also explained that Touch ID — if it works properly and as seamlessly as Apple promises it will — could help provide effective multi-factor authentication for the iPhone 5S and greatly enhance mobile security. “Multi-factor authentication requires at least two of these three things: something you have, something you are, or something you know.” By associating your unique fingerprint (something you are) with a password (something you know) and your specific mobile number and phone hardware (something you have), it quickly becomes extremely difficult — though not impossible — for someone to impersonate you when logging into online accounts and cloud services.
In a promotional video describing the new Touch ID feature, Apple Senior VP of Hardware Engineering Dan Riccio explains how the iPhone 5S handles fingerprint data. “All fingerprint information is encrypted and stored inside the secure enclave inside our new A7 chip,” Riccio says. “[There] it is locked away from everything else, only accessible by the touch ID sensor, and never available to other software, never stored on Apple’s servers or backed up to iCloud.”
A visual showing the iPhone 5S Touch ID fingerprint sensor dissembled into discrete components. (Source: Apple)
Paul Madsen, a Senior Technical Architect in the Office of the CTO at Ping Identity, agrees that Touch ID could be a big improvement for smartphone security. “We’ve internally spent most of the day discussing how Touch ID seems like a universally good thing,” Madsen says. “Anything that tightens the binding between a user and their phone is a good thing, and with fingerprint data being stored locally and not in the cloud, that minimizes the risk of security compromise and theft.”
Madsen also pointed to the FIDO Alliance, a non-profit organization and industry working group of more than a dozen vendors — including Google, BlackBerry, PayPal, Ping Identity, and more — that are working towards making similar authentication standards for other devices and services. “The FIDO Alliance is working towards standardizing biometric authentication to the phone,” says Madsen. “[This] effectively unlocks the device, and provides keys/credentials that can be used to authenticate users on a network. Apple’s Touch ID is a nice validation of that idea.”
Yet despite the potential of Touch ID to improve and streamline smartphone security, both Peck and Madsen agree that the true test of how effectively the technology will be is when millions of iPhone 5S devices land in the hands of consumers later this month. Madsen points to potential fear and ignorance of consumers who may not like the sound of “biometrics” and “fingerprints” in this post-Snowden world of NSA leaks, and Peck wonders how effectively Apple has been able to overcome some of the historical shortcomings of fingerprint scanners, such as users with fingers covered in grease, or operators who don’t align their fingerprints properly to be read effectively. If Apple hasn’t solved these technical challenges, consumers may simply disable the feature.
Yet despite those caveats, both Peck and Madsen feel that Touch ID will be the first of many new smartphone biometric technologies that could make smartphones more secure and hopefully relieve the password fatigue that users with dozens of online service accounts have to contend with. While Touch ID and the iPhone 5S may arguably be the most promising development in smartphone biometric security in years, even more devices are on the way. At press time, several sources where indicating that the new HTC One Maxx Android phone may ship with a fingerprint scanner functionality as well.