Update: An earlier version of this story said the iPhone 5s was the first phone with a fingerprint sensor. This was an error introduced by the editing process, not the original author.
On the surface, Apple’s recent iPhone 5S announcement seemed just that: all surface, no substance. But as many reviewers have pointed out, the true star of the new model may not be its shimmering gold sheen, but instead the finger sensor built into its home button.
Using a fingerprint to prove you are who you claim to be is not new. But building it into a phone is. And as your mobile phone becomes your carrier of content (such as photos), currency (think of it as a digital wallet) and identity (like Apple’s Keychain software) as well as your route to all manner of digital services, proving who you are will become essential for mobile everything.
Before mobile, Web security rooted itself in the username/password paradigm. Your username and password defined the identity you used to authenticate yourself to PayPal, Amazon, Google, Facebook and everything in between. There are stronger ways to secure access to Web sites, but written passwords predominate because they are personal and easy to type on a PC – where all Web pursuits took place – until the arrival of the smartphone.
The smartphone and its similarly keyboard-deprived cousin, the tablet, increasingly represent the jumping off point for the Internet today. Sometimes, it may start with a browser. Many times it begins with an app. In either case, passwords are no fun when you move to a mobile device. They are cumbersome to type and annoying when you have to type them repeatedly across multiple sites, services and apps. So anything that diminishes the burden of typing passwords on a mobile device is a good thing.
Apple is not alone in identifying that end users want ways to eliminate passwords on mobile devices. Single Sign-On (SSO) technologies – when applied to mobile – can significantly reduce the burden of recalling multiple passwords across different sites, apps and services. But what Apple has achieved is significant because it substitutes a highly-personalized biometric for a password. This has the power to streamline mobile commerce, mobile payments and every other kind of mobile-centered interaction or transaction.
Many commentators have rightfully pointed out that biometrics do not offer a panacea. If your fingerprint gets hacked, for instance, it’s hacked permanently. But there are easy ways of augmenting biometrics to make them stronger. Biometrics can be combined with over-the-air tokens like one-time passwords or supplemented with context-aware server-side challenges that increase their requirements based on risk. But it’s what they achieve when compared with the alternative that makes fingerprint readers so powerful.
The iPhone 5S simplifies authentication for the average user, which encourages security use and acceptance. It also eliminates bad mobile habits like using short, easily memorable, easy-to-type passwords that scream insecurity. Apple is not the first vendor to realize consumers don’t like passwords on mobile devices. But by bringing an alternative to the mass market, it is helping to draw attention to the need and the opportunity: killing the password may open mobile to a whole host of novel security-dependent internet services.
By Dimitri Sirota, SVP Business Unit Strategy, Security of CA Technologies and co-founder of Layer 7.