Blog Post

Did Apple just kill the password?

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Update: An earlier version of this story said the iPhone 5s was the first phone with a fingerprint sensor. This was an error introduced by the editing process, not the original author.

On the surface, Apple’s recent iPhone 5S announcement seemed just that: all surface, no substance. But as many reviewers have pointed out, the true star of the new model may not be its shimmering gold sheen, but instead the finger sensor built into its home button.

Using a fingerprint to prove you are who you claim to be is not new. But building it into a phone is. And as your mobile phone becomes your carrier of content (such as photos), currency (think of it as a digital wallet) and identity (like Apple’s Keychain software) as well as your route to all manner of digital services, proving who you are will become essential for mobile everything.

Before mobile, Web security rooted itself in the username/password paradigm. Your username and password defined the identity you used to authenticate yourself to PayPal, Amazon, Google, Facebook and everything in between. There are stronger ways to secure access to Web sites, but written passwords predominate because they are personal and easy to type on a PC – where all Web pursuits took place – until the arrival of the smartphone.

The smartphone and its similarly keyboard-deprived cousin, the tablet, increasingly represent the jumping off point for the Internet today. Sometimes, it may start with a browser. Many times it begins with an app. In either case, passwords are no fun when you move to a mobile device. They are cumbersome to type and annoying when you have to type them repeatedly across multiple sites, services and apps. So anything that diminishes the burden of typing passwords on a mobile device is a good thing.

Apple is not alone in identifying that end users want ways to eliminate passwords on mobile devices. Single Sign-On (SSO) technologies – when applied to mobile – can significantly reduce the burden of recalling multiple passwords across different sites, apps and services. But what Apple has achieved is significant because it substitutes a highly-personalized biometric for a password. This has the power to streamline mobile commerce, mobile payments and every other kind of mobile-centered interaction or transaction.

Many commentators have rightfully pointed out that biometrics do not offer a panacea. If your fingerprint gets hacked, for instance, it’s hacked permanently. But there are easy ways of augmenting biometrics to make them stronger. Biometrics can be combined with over-the-air tokens like one-time passwords or supplemented with context-aware server-side challenges that increase their requirements based on risk. But it’s what they achieve when compared with the alternative that makes fingerprint readers so powerful.

The iPhone 5S simplifies authentication for the average user, which encourages security use and acceptance. It also eliminates bad mobile habits like using short, easily memorable, easy-to-type passwords that scream insecurity. Apple is not the first vendor to realize consumers don’t like passwords on mobile devices. But by bringing an alternative to the mass market, it is helping to draw attention to the need and the opportunity: killing the password may open mobile to a whole host of novel security-dependent internet services.

By Dimitri Sirota, SVP Business Unit Strategy, Security of CA Technologies and co-founder of Layer 7.

29 Responses to “Did Apple just kill the password?”

  1. dimitrisirota

    The piece does not claim Apple was first to implement a biometric on a computing device or even in a mobile phone. Samsung also introduced biometrics in its latest device. However Apple by virtue of it’s market influence and mass market appeal is uniquely positioned to popularize a technology such as this.

    Moreover the assertion of this article is that biometrics have a potential larger role in mobile then they did with PCs. Passwords are tedious to type on a small handset without a dedicated keyboard. This encourages users to implement zero security or weak security with easily retyped passwords or simple PINs. Like all authentication schemes, biometrics are not infallable. But by they do represent a stronger option then the typical PIN or password and by making them transparent to implement they represent an important advancement that we will likely find repeated across diverse mobile devices going forward.

  2. Walter Cruz

    I don’t really understand why the big issue if it’s the 5s that is the first in fingerprint sensor or not. We just need to appreciate how Apple gives this tech hype. This good for the tech itself and thus for the end users. I am pretty sure other companies would do the same concept, but maybe better. Who’s lucky now? Users.

    More surprising stories here about technology and the people behind them! —

  3. Karl Klept

    I have been gesturing my way into my Android phone for years. Good to know I can change that gesture anytime if I think it’s been stolen. Anyway, answer to your question is no.

  4. JSintheUS

    Finally! An article by an author who recognizes how utterly revolutionary the fingerprint sensor actually is! Thank you! No more usernames, passwords, credit cards, etc. This is a brave new world!

  5. My Motorola Atrix has had fingerprint scanning technology since 2011. Did this author do any research before posting such a ridiculous Apple fanboi article?

    Not only that, but the fact that you must create a backup password (in case the fingerprint scan fails) makes this simply a novelty feature. Since a password can still be used to bypass the fingerprint scan, what makes this technology any more secure than using a phone with password authentication?

    So…NO, Apple did not just kill the password. They did take a “cool” novelty feature that has been around for years and implemented it onto their brand of overpriced, inferior-feature phones.

  6. gtlindner

    I like the fingerprint reader idea, but am curious how the password works in conjunction with it. I don’t own a 5s and haven’t read anything that clearly describes how the password and fingerprint reader work with each other.
    After the fingerprint scan/unlock, is it possible to have the user enter a password as a 2nd form of idenitification? If so, does it happen EVERY time?
    I think there’d be value in a password lockout period in addition to the fingerprint scanner such that after the period, the user would have to also enter the password. So, for instance, if the password lockout was set to like 4 hours, then the user would have to scan their fingerprint and enter a password. When the lock screen enables, a timer starts. If the user unlocks the phone with their thumb in less than 4 hours, the password is not prompted. If it’s been longer than 4 hours, then the user is prompted for that 2nd form of ID (the password).
    I think the password locking timeout should be user defineable with increments from immediately to like 12 hours.
    Now, if that was how the fingerprint reader and password unlock worked, I’d be on board with the security…

  7. I think the premise is wrong. You don’t want to use a fingerprint to have access to everything on your smartphone. More sensitive/important data/access should require something more once you are on your past your smartphone’s initial security screen.

    For example, to access your bank account, you should still have to use a more secure password, regardless of whether you access your smartphone with a pattern lock, pin, facial recognition or a fingerprint.

    And yes, it is rather shocking that an article written more than four hours after Apple’s announcement could wrongly claim the iPhone was first.

  8. Let me get this straight… You think that locking your phone, with something you leave all over your phone, equals security?

    Did Apple kill the password? IDK, did the Fujitsu F-10D kill it last year? What about the Atrix the year before that? No? Then probably not.

    Frankly, fingerprints are horrible for authentication. Besides the fact that you leave them on everything you touch, they never change. Once someone has a copy, they’re good for life.

    And I’m certain the NSA or some other three letter agency will force Apple to install fingerprint collection software. If they haven’t already. I wouldn’t touch the home button without gloves. If I was foolish enough to want one of these devices, I’d put black electrical tape over the button and the sensor ring for my own safety.

    In fact, given the number of electrocutions caused by iPhones lately, I’d probably wrap the whole thing in electric tape, just the be sure. :)

  9. Isn’t gigaom supposed to be a specialist blogging site?

    When I read article like this , I feel like reading teenage bloggers that are discovering new ropes.

    Get your facts first, and maybe also get your info from specialist. Is kevin tofle still around? You could ask him one or two thinks about this kind of technology on mobile devices…

  10. GeekCoefficient

    If you rely on your fingerprint to protect your data then you are an idiot. I can take your fingerprint by force or other methods. I prefer something you know and something you have…

  11. Others might be having better luck with the fingerprint scanner than I am, but I find it extremely inconsistent. It will work beautifully some times of day and then later on it won’t work at all. Later, it will work again. Not sure what could cause the inconsistencies, but it is really frustrating and not ready for prime time.

  12. Laughing_Boy48

    The Motorola Atrix was the first smartphone with a fingerprint scanner (which used finger swipe and not mere touch). It beat Apple’s iPhone by about two years. It just didn’t get nearly as much recognition as the iPhone is getting. It didn’t work all that well, either. One of those Motorola products that are easily forgotten.