Biometric-based Authentication is Front-and-Center on Apple’s iPhone 5s
Apple’s iPhone 5s will be remembered as the personal communications device that got people engaged in serious discussions of the virtues of biometric authentication at scale. The early reactions follow some predictable patterns.
Skeptics point to the security vulnerabilities and long-term reliability issues associated with fingerprint readers that shipped with laptop computers, like IBM ThinkPads (later manufactured and distributed by Lenovo), Toshiba and Dell; as well as mobile phones from the likes of Motorola and LG. Privacy experts have been quick to question how Apple plans to keep biometric data, perhaps the most personal of all PII (personally identifiable information) safe from theft by malevolent hackers. Speaking of hackers, Andy Greenberg’s column in the venerable Forbes Magazine catalogued the ways that other fingerprint readers have been defeated by individuals who used Play-Doh or even Gummi Bears to lift and duplicate existing prints from smooth surfaces like the iPhone’s glass screen.
And in an Onion-like moment, Mashable went viral with this story and photo entitled “Little Girl Finds Security Flaw in iPhone 5s Fingerprint Scanner,” which its author attributed to Reddtor iZeeHunter.
On the other side of the ledger, the fingerprint-based activation feature, called Apple Touch ID, has its boosters as well. In a post on Internet2Go, my fellow analyst Greg Sterling called Touch ID, “the new Siri,” meaning that it is “a kind of ‘wow’ feature that helps it stand out from other smartphones.” The folks who brave the long lines because they want to be among the first to own the 5s will discover that biometric activation has real merit. It is much more secure than the four-digit codes used to protect past models. It is neatly integrated into the home button so that pressing it to activate is easier, more intuitive and, frankly, less smudge-prone than using the slide bar. They’ll even find that the system has its own form of liveness detection. During the product introduction event Phil Schiller, Apple’s head of marketing noted that the technology could perform liveness testing by detecting sub-epidermal skin layers. It sounds impressive, but skeptics say the only true test of such a system is experience over time.
Experience over time will also play an important role in defining the usefulness and acceptance of Touch ID. Out-of-the-box functionality is confined to secure device activation and authenticating/authorizing purchase instructions for media or other content through the iTunes store. In this respect, Apple is smart to attach constraints on what people can do with the new technology. In addition to keeping user expectations low, it increases the probability of success. Unlike Siri, which raised high hopes for the phone to understand virtually anything an individual would say using “natural language,” Touch ID will prove to be very good at a modest set of activities which, I believe, will lead individuals wanting more.
Siri introduced the general public to Personal Virtual Assistants, and tantalized the iPhone owning public with the vision of using spoken words to transform smartphones into indispensible tools for everyday activities. Perhaps they overpromised, but the introduction of Siri had a ripple effect that conditioned the public to expect bigger and better things from Google (offering speech input as an option for Google Now) and Microsoft (which is expected to introduce “Cortana” – a PVA designed to appeal to the highly visual gaming crowd), Nuance (whose Nina is being offered for mobile users, as well as enterprise Web sites to support automated chat) and dozens of others which we will be discussing in a forthcoming Report on the power of Personal Virtual Assistants for customer care and self-service.
Like Siri, Touch ID will legitimize an entire service domain – that of biometric authentication. Replacing PINs and passwords can have broad appeal to the general public. The simplicity of activating a device and authenticating is also a winner. As Amazon (and Apple) learned long ago, there is power to “One Click” or “One Touch” completion of a transaction. Adding biometric-based, strong authentication will lead to all sorts of discovery about powerful, highly personalized services that can be offered once a service provider has high confidence that it is in touch with the legitimate owner of a specific iPhone.
I would argue that, although Touch ID is a boon to providers of fingerprints as the preferred biometric, it bodes well for voice-based identity assertion and verification as well. Ever since Apple acquired AuthenTec in late 2012, we’d been expecting the company to integrate its chipsets and technologies into iPhones and iPads. It satisfied the need for strong, device based authentication. Apple did not disappoint, and was quick to introduce a system based on an architecture that keeps the biometric data on the device and doesn’t expose it to potential hackers or identity thieves. But voice can be a much more natural biometric when using a phone and Apple, by introducing a fingerprint-based system, has opened the door for solutions that integrate one or more alternatives: voice, face or iris are other candidates, but there are many other unique identifiers.
As we often counsel our clients and conference attendees, no single factor ever suffices. Creative combinations of authentication solutions embracing scanners, cameras, microphones are all fair game, and we have Apple to thank for getting the creative ball rolling.