Rumors that Apple would integrate a biometric sensor in its future iPhone are even older than Apple’s acquisition of Australian fingerprint technology company Authentec in July 2012. These rumors inflated this summer, to the point that they seemed less like rumors than a well-distilled teasing by Cupertino.
Well, oracles were right. Here it is. Its name is TouchID.
TouchID is directly integrated in the Home button of iPhone 5S. You can register up to 5 fingers (yours or others), it doesn’t require to swipe a finger in front of the sensor to be recognized – you only have to put your finger on the button – and most surprisingly to many observers and critics of Apple, it seems to work really well.
But this post is not a product review – hopefully, because we'd be fired for releasing it so late – so if you read this article for something of this kind, refer instead to this cool one. No, it’s about the Why and the Who Cares. After all, Apple paid $356 million just for the Authentec acquisition, so there must be something!
Not the Security You’d Think
We’ve heard many people discussing whether or not biometry was more secure than a 4- or 6-digit PIN or a screen gesture. And actually, TouchID is reported to have already been hacked less than a week after iPhone 5S has been shipped to the market (to be precise: it was not “hacked”, it was “spoofed”, this is a very generic problem with fingerprint biometry). It actually misses the point, because TouchID is used to unlock the screen, but if you turn off your iPhone and then turn it on, you would still use a PIN, so Apple's objective is definitely not to make access to your iPhone bullet-proofed.
By integrating TouchID in the Home button, therefore making it transparent, Apple hopes that most users will turn on the PIN protection as well, and therefore that iPhones will be better protected than they are today where many users don’t activate a PIN to avoid typing it each time they unlock the screen.
Security is primarily about user behavior: make security transparent and you increase it.
Towards a Bio-generalization?
The ripple effect on the smartphone market that some forecast or hoped for (biometric sensor vendors, to begin with!) is not obvious. First, because of the possibility to spoof such sensors. Second, and more importantly, because phone manufacturers challenge the returns of any increase of their “hardware bill of materials."
Adding a biometric sensor would require either that it brings higher market shares because it is seen as cool and improves user experience compared to current inexpensive alternatives like screen gestures - we’ll see - or that it brings additional revenues, which leads us back to the initial question of why Apple made the Authentec acquisition last year: just to be cool?
Match on Card
Ideally, you would register your finger with the sensor and trust it to open all “doors,” whether actual doors, your iPhone, or your online accounts. You could forget about passwords and still be safe. But there’s a hitch: privacy.
In most countries, regulations impose a strict limit to the purposes for which biometric databases can be created. Typically, border control and identification of people convicted in criminal cases are authorized purposes, but signing in to Facebook is not.
Biometry can be used with no or little restriction when no database is involved, that is, when the biometric data is registered and carried by the user herself and matched locally to get access. This process is known as “match on card” vs. matching in a database. And indeed, with TouchID, your fingerprint is registered within your iPhone, and matched when you use a finger to unlock the phone. No Cloud database is queried in the process.
Unlock the Apps?
That sort of reduces the potential uses of TouchID, because an App on your iPhone cannot just simply ask you to put your finger and match it on some public online fingerprint database in order to connect you or to validate a transaction. There is, hopefully, no such database.
But then, how can you check out on iTunes with TouchID? Because Apple has built a model that doesn’t distinguish an iTunes user from an iPhone user: you must link your iPhone to an iTunes account to be able to use it. If your iPhone trusts it is you, so does iTunes.
What would prevent Apple to propose to third-party Apps – Facebook, Twitter, or your bank – to do the same and thus become a public Identity Provider? Actually, not much, and this is probably part of Apple bet on biometry – a risky bet, as long as sensors can be spoofed. For now, this feature doesn’t exist, so we can only speculate; it would probably only need Apple to expose a TouchID public key so that you can turn your iPhone into a Personal Identity Cloud, just like Mozilla Persona, Respect Network – and inWebo, by the way – are now proposing to. Monetizing it, however, is another story. We’ll try to handle this topic in a future post.
Does it Matter?
Tease the audience, but don’t disappoint it … we now have to answer the question I teased you with in the title of this post.
TouchID for now is a mere gadget, though we concede that it’s likely to have you better protect your iPhone if you were so lazy not to put a PIN on it so far. According to our creative colleagues at TechCrunch, you can register your palm or even your cat’s paws instead of your fingers. Do it! Try also the bubblegum attack. Possibilities are countless, so get ready to read reports from imaginative geeks trying crazy things. Same for Google Glass.
But the thing that will make it matter will be the release - or the support - of an API.