One of the widely trailed features of Apple’s new iPhone 5S is the fingerprint sensor or “Touch ID”. The idea is to provide a secure, convenient, alternative to typing in a passcode. However, the new feature may help improve the security of BYOD.
The new iPhone allows users to register five fingerprints to unlock the phone. This could be five digits belonging to one person, or fingerprints of different people “trusted” by the user to access his or her device.
The fingerprint sensor also enables one touch purchases through a user’s iTunes account – for example, from the iBooks, iTunes or App Stores. However, only one fingerprint can be registered with an iTunes account, meaning that only the user can authorise purchases through his or her account (assuming the user doesn’t lose his or her finger).
What does this mean for BYOD?
Whilst Apple and other tablet manufacturers largely market their devices as being personal rather than shared (each device is attached to a single iTunes account), the reality is that many iPads and tablets are shared by the owner with other people that they live with (I know that my wife certainly uses my iPad as much as I do).
If an employer has initiated BYOD for its employees that could cause a problem where tablets are shared, as sensitive and confidential business information may be accessible to non-employees. Mobile device management software can dictate the strength of passwords that have to be used, and other security settings, but they can’t stop someone sharing their password with someone else, or shoulder surfing.
I’m not sure what Apple’s plans are for fingerprint authorisation, and whether the API will be opened up to developers in iOS7, but it seems logical to me that this should be possible. If so, and assuming that the technology is rolled out to iPads too, then it opens up the possibility of applying an additional layer of security to apps where security is important, but where typing in a passcode interferes with the user experience.
For example, access to open an inbox for a particular email account could be conditional upon the user swiping a valid fingerprint. Alternatively, access to enterprise apps could require a quick swipe to authorise.
Taking things a step further, the fingerprint sensor could also be used to authenticate an electronic signature to conclude a contract or make an online purchase through other vendors. Perhaps it could even allow payment services providers to provide a more user friendly alternative to clunky schemes like Verified By Visa.
Fingerprint sensors are not new, but to date the technology has had limited success.
However, the rollout on smartphones could change that. It opens up a world of innovation, but also the prospect of new ways of managing information and data security.
On September 13, 2013