Will Biometrics Replace Passwords As Keys To Our Digital Lives?

By

The fingerprint: A brilliant convenience or key to a dystopian future?
The fingerprint: A brilliant convenience or key to a dystopian future?

With the touch of a button, Apple’s iPhone 5s will change the mobile industry. And it just may simplify your life.

Thanks to its insanely simple implementation in the phone’s home button, Apple has taken the first big step toward making its mobile devices even more central to the daily process of more efficiently managing the security-dependent details of our daily lives.

“The phone will just be the lock to the cloud and you will be the key.”

Industry pundits told Cult of Mac that if consumers take to the technology, it will be an important move towards making the phone the key to unlocking dozens of interactions in our lives – everything from logging into our email and social networks with a touch of a finger to paying for purchases both large and small, to managing home security networks and timing the sprinklers in our backyards.

“All of the credentials that you carry around in your wallet – your corporate ID card, your parking pass, your credit cards, your debit cards, your boarding passes, your driving license, they’re all based on the same idea,” says Jay Meier, vice president of corporate development for BIO-key, a decade-old fingerprint authentication company whose technology is used by everyone from the FBI and the federal court system to companies such as IBM. “Driving a car, getting into a building, crossing a border, getting a revolving line of credit – they all represent the privilege of being able to do something and all of that is migrating onto the phone.”

So what else will biometric authentication enable and what’s in it for you?

For the approximately 40 million people in the United States who don’t bother with any security procedures at all, it’s an effortless way to secure their smartphones. The simplicity and efficiency of streamlining all those daily transactions and authentication procedures that underlie many of our daily lives is alluring, but experts say people it could be a touchy issue for people concerned with privacy.

Ashkan Soltani, an independent privacy and security researcher, advises users to think about what they’re really using apps for before they enable fingerprint authentication.

“To the degree that [biometrics] are being used to authenticate into apps, I would probably refrain from using those features unless it’s apps where I have no problems with it, like my banking app, where I want strong security and identification features, where I want me and only me to access it,” he says. “But if it’s something else, like an online dating app, or something to do with browsing, I would not want to use that feature where I wouldn’t want all my activities tied to me as a person.”

For his part, Sebastien Taveau, chief technology officer of Validity, another fingerprint sensor company that’s been working with Samsung to integrate the sensors into its devices, argues that using biometrics is a much more secure method of locking down access to your information in the cloud.

“The phone will just be the lock to the cloud and you will be the key,” he says.

And he means that literally. Apple’s deployment of the biometric technology is limited in this initial phase to its own stores and it hasn’t opened up its platform to third-party app developers – meaning that the wholesale revolution in mobile commerce, identity management and payments won’t happen overnight, but that’s where the industry is headed.

Instead, in addition to unlocking their cool new iPhone, at first 5s owners will be able to use Touch ID to buy music and movies in iTunes, buy apps through its App Store and books through iBooks. Analysts say that the impact of the new feature will be limited until it provides an API to developers.

“If Apple develops an API and allows other non-Apple services to have access to the biometric, it opens up the entire mobile commerce world,” says Meier. Otherwise, the company either risks irrelevance as an industry standard alternative is developed (which would allow service providers such as banks to be device agnostic) or Apple forces service providers like banks to use its suite of technologies to reach customers.

Apple’s game-changing mobile products have become the barometer of the future.

This proprietary approach to biometric authentication has held back its use in the world of consumer technologies in the past decade, Meier says. Service providers such as banks don’t want to support dozens of different approaches to biometric authentication through different devices. They want industry standards so that they can deliver their services through any device.

At the same time, there are serious security issues that still need to be resolved with opening up Apple’s biometric authentication feature. Both security experts and analysts agree  that keeping the authentication information stored on the device — as opposed to the cloud — is currently the safest approach. Meier argues that this architecture limits the widespread adoption of the technology.

Nevertheless, since Apple’s game-changing mobile products have become the barometer of the future for mobile devices, it’s widely acknowledged that the launch of Touch ID is accelerating the push for wider consumer adoption of biometric authentication.

For example, Apple bought the fingerprint sensor company Authentec in July last year. That same month, a group of Silicon Valley companies in the authentication and security lines of business banded together to form an industry-wide group to build an open alternative solution to the password.

They officially launched the Fast Identity Online (FIDO) Alliance this February. The group is anchored by industry veteran Michael Barrett, the former chief information security officer of Paypal. Taveau says that there’s momentum in the work of the alliance: The group is finalizing the technical specifications of its proposed authentication architecture (similar to Apple’s in that authentication takes place on the device as opposed to in the cloud) and plans to have specifications ready by the end of the year.

Membership of the alliance includes Google, BlackBerry, Lenovo, and PayPal, as well as several other chip, cloud security and authentication companies.

Indiscriminate fingerprint authentication for apps is like someone watching over your shoulder as you browse at a library.

Soltani was the primary technical consultant for the Wall Street Journal’s “What They Know ” series about Internet privacy and tracking, and a staff technologist at the Federal Trade Commission’s privacy and identity protection division.

He says that indiscriminate fingerprint authentication for apps is like someone watching over your shoulder as you browse the stacks at a library. If a stranger were peering over your shoulder as you perused the shelves, you might not end up looking at books that you stumble across that are controversial or prurient.

On the other hand, to ensure real security for access to apps where security is paramount, Soltani says that he’d want two-factor authentication. That is, he would want as a user, the bank, or whatever other service provider to require both a fingerprint, as well as a secondary authentication, like a short code sent to the phone. In security parlance this is a standard procedure of requiring an individual to prove who they are by providing something they have or are (a biometric measurement) and something they know (a code.)

Indeed, according to Brent Iadarola, a mobile communications analyst at the research and consulting firm Frost & Sullivan, the launch of Touch ID is one step along a product road map that will enable a much more intrusive relationship between retailers and consumers.

Iadarola says that now that there’s a more seamless implementation of an authentication feature on the iPhone, he expects marketers to capitalize on it. Retail establishments might try to lure consumers their way with coupons and offers on their mobile devices as they stroll through public spaces like malls and airports.

These would have to be phone owners who had specifically chosen to allow these kinds of offers to be sent to them. Shop owners could potentially locate these potential consumers in proximity to their stores with Apple’s WiFiSLAM technology (a technology that enables mobile location tracking indoors,) reach them with a customized message through iAds (Apple’s mobile advertising network) and allow payments and transactions through iWallet (its mobile payment system.)

“This is essentially the convergence of location-based services with secure local payment. To me, that’s where Apple’s future is pointing,” he says.