On Tuesday, Apple made good on a number of long circulating rumors with it’s now-expected annual September product announcement. Last year around this time, the company announced Touch ID – the fingerprint sensor that would be able to replace the lock screen PIN and iTunes passwords on the iPhone 5S. This year, Apple’s announcement brought more than just Touch ID to the table, and since it’s Mobile Biometrics Month at FindBiometrics we’re going to take a look at the new Apple releases and unpack some of the ideas surrounding what they might mean for identity management.
At Tuesday’s keynote, Apple started by announcing two new smartphone models: the iPhone 6 and the iPhone 6 Plus. Both feature the sapphire fingerprint sensor that was launched a year ago, apparently with no notable changes in hardware or software.
The major change this time around is that with the new mobile operating system that ships with both versions of the iPhone 6 – iOS 8 – Touch ID now has an expanded list of possible applications. Thanks to decisions announced earlier this year at WWDC, the new operating system will allow for third party developers to take advantage of the convenience of fingerprint authentication. This means that banking apps like the one offered by Mint.com, social media apps and anything that would once require a login can now be conveniently accessed with the touch of the proper finger, given that the program has been designed to do so.
More Touch ID is not a surprise. The iOS 8 announcement solidified Apple’s intention to champion its sensor access control solution. What is a surprise is the lack of mention in terms of any sort of new liveness detection features. Last year, when the iPhone 5S first made it into consumer hands, the online hacking community immediately set out to spoof Touch ID. They succeeded using a wood-glue spoof technique, and critics had a field day.
Additionally, the sensor’s false acceptance and rejection rates (illustrated by a number of user uploaded YouTube videos) had some users turning the function off all together. The end result is what Frost & Sullivan, in a new report titled Biometrics Go Mobile: A Market Overview calls low consumer confidence in smartphone biometrics.
Now, it is very possible that Touch ID has been improved and that Apple, wanting to keep things moving fast and not mention any thing less than past successes, simply left that detail out of the keynote. In any case, the company is confident enough in Touch ID that it is willing to integrate it into the second big announcement of the Apple Event.
As expected thanks to a last minute rumor that Apple would be partnering with Visa, MasterCard and American Express, the company drew back the curtain on a new iPhone mobile wallet app. Apple Pay, which takes advantage of partnerships with the previously mentioned credit card companies and six major banks, uses near field communication (NFC) technology to replace credit cards in the point of sale payment process.
On launch, Apple Pay will be accepted as payment by 22,000 retailers. It can use credit cards already on file in iTunes or users can add other cards by taking a picture and verifying their cardholder identity with their bank. It stores all card info in the iPhone’s secure element and generates dynamic security codes. This way, the payment is secure and private, not allowing retailers or cashiers access to see even the account number and Apple can’t know what a user is purchasing.
Of course, as an added layer of security, Touch ID authentication is used to authorize payment, making Apple Pay a mobile biometric payment solution.
The inclusion of Touch ID is sure to raise the eyebrows of critics. After all, a lost and spoofed iPhone 6 could lead to fraudulent online purchases. There are two factors, however, that can potentially answer this lost phone issue. First, Apple has built a kill switch function into Apple Pay, enabling users with lost phones to use Find My iPhone to disable the service without having to cancel credit cards.
The second factor is just a possibility at this point, but is also much cooler.
The biggest announcement on Tuesday, at least seemingly from Apple’s point of view, was its next gen wearable tech debut: the Apple Watch. Scheduled to be available some time in early 2015, the smartwatch is highly customizable and offers a whole bunch of nifty, convenient and – in the case of its heartbeat sharing function – downright strange features.
Among the Apple Watch’s practical functions is the ability to make Apple Pay transactions.
Because the Apple Watch must be tethered to an iPhone in order to function, both devices can potentially benefit from an additional proximity based authentication factor, bolstering security by virtue of the Apple user ecosystem.
Add in the eventual possibility of persistent vital biometric authentication courtesy of the Apple Watch’s own biometric sensors and what you get is a pretty robust multi-factor payment system requiring the presence of two devices, authenticated heart rhythm and a positive fingerprint ID.
Currently, the type of persistent vital biometric authentication described above does exist in the form of the Nymi wristband from Canadian biometric company Bionym. Though Apple hasn’t stated its intention to use its smartwatch’s vital biometric sensors for ID purposes, the fact that the company is looking outside the active living and fitness application box is encouraging. If Apple went as far as allowing users to share heartbeat vibrations as some sort of weird experiment in connectivity, it is only a matter of time before it thinks of using the sensors for security (that is, if it hasn’t already).
In the end, what we have coming from Apple are three new mobile devices that prominently feature biometrics and new payment technology. Time and testing will tell if they can stand up to the obstacles beset on them after last year’s high profile spoofing, but no matter what the eventual outcome, biometric Apple devices are being put into the hands of the public and now they finally have something to do with them.
September 11, 2014 – by Peter B. Counter