The net is buzzing with its usual mixture of the possible, the potential and the damn-right ridiculous predictions on what Apple will announce later today at its September device event. In the mix has been a number of rumours on what Apple may do in terms of supporting biometrics. Time will tell, but before the event takes place here is a list of some of them with my views on them.
iPhone 7
The most believable is changes to the home button with either a more flushed designed button integrated into the display or removal completely. Most fingerprint sensor designers have been working on integrating a sensor underneath the display (under glass) rather than underneath a coated button and Apple is probably ahead of the curve in its development.
There is a strong possibility that Touch ID on iPhone 7 will be an under the glass sensor (probably still capacitive) and Apple may have had to either reduce the thickness of the glass or develop a recess in the glass to reduce its thickness to ensure that the sensor's performance is not degraded.
The integration under glass may also mean the development of 'Force' Touch ID and could mean that the sensor could improve anti-spoof capabilities by measuring the force of its registered user's touch in addition to the usual matching against stored fingerprint templates.
With Iris being integrated into the Samsung GN7 (unfortunately recalled) there have also been rumours that iris recognition will be supported in this version. It is likely that this will have to wait until at least iPhone 8.
Watch 2
The most reliable rumours on new sensors points to GPS. As my Sony SmartWatch 3 has this feature, I can definitely see that having GPS in a watch definitely makes the device more independent and is a great feature when you out running (According to Google Fit this last occurred in February for me - shocking I know). The partnership between Precise Biometrics, FPC, Gemalto and STMicro in developing a biometric platform for wearables has given us a clear indication that integrating biometric sensors into wearables, for authentication and identity, is viable. Whether Apple sees any merit in doing so is questionable. Payments has been a major driving force for biometrics and for Apple to support a standalone payments app on a smartwatch that replicates the iPhone security environment including the secure enclave is debatable from a business case point of view.
We may see the watch having more independence from a paired iPhone but I would be surprised to see a decoupling in this context. I would say there is an outside chance of a separate biometric (identity) sensor being integrated into Watch 2.
I look forward in hearing what Apple will actually do later today and will follow-up this blog with another one with analysis on anything that is important from a security and identity perspective.
Addendum 09/09: After the official announcements from Apple on iPhone 7 and Watch 2, comments on my predictions. Not a lot of direct announcements on biometrics. However, Apple has changed the home button in creating a solid state version with force features and taptic feedback. There was no clarity on whether there is any changes to Touch ID as a result of this change. As predicted, no support for other modalities including Iris and no Biometrics for the Watch. I am currently researching the mobile biometrics market so keep a watch out for further updates in this area. Thanks. Alan
Showing posts with label apple. Show all posts
Showing posts with label apple. Show all posts
Wednesday, 7 September 2016
Wednesday, 11 September 2013
iPhone 5S Touch ID - What Apple announced (how much did I get right)
AT 10am EDT yesterday (10/09/2013) Apple held their latest event to announce two new iPhones (iPhone 5S and iPhone 5C) and the latest version of iOS (iOS 7). The event coincided with my attendance at a school information meeting. I thought it wise not to follow Twitter on how the event was progressing even though I was itching to find out whether the fingerprint sensor had made it to the phone - besides, the school hall has awful mobile reception.
The previous day (09/09/2013) I wrote a blog making predictions on how Apple would utilise the fingerprint sensor. So how did I do?
First, let's take a look at what Apple announced yesterday.
What Apple Announced?
Along with a faster processor and the next version of iOs (iOS 7) Apple announced the fruits of their AuthenTec acquisition, Touch ID - "a new fingerprint identity sensor". In other words an optical fingerprint sensor embedded underneath the Home button of the iPhone 5S.
In a video released to coincide with the announcement, Apple's chief design guru, Jony Ive, emphasises that Touch ID is more about convenience than security by saying that it "enhances the user's experience" and "is the next step in using your iPhone" as well as "protecting all of the information" held on the phone.
Touch ID will have two functions at lauch:
How does it work?
Once a user has enrolled (a user can enrol a single or multiple fingers) with Touch ID they can then replace the Passcode to unlock a locked device with the touch of their enrolled finger(s). One of the issues of previous smartphones with embedded fingerprint sensors (including the Atrix 4G) was a lack of other supporting functionality outside of the unlock phone feature. Apple have taken a positive step forwards by also allowing the fingerprint to provide authentication for iTunes payments - replacing the Apple ID password with the fingerprint. Is this the entry point (or pilot) for Apple's fingerprint-authenticated mPayments and will Apple store payments come next?
Technology
As with any embedded fingerprint sensor the service is a combination of hardware and software. The new Home button is made from sapphire crystal that both protects the sensor and acts as a lens to enhance the fingerprint. A steel ring has been inserted surrounding the button that detects the finger and wakes up the sensor (probably saves the battery). The optical sensor takes a high resolution image of the print (taken from the subepidermal surface of the skin to counteract damaged and ageing epidermi). The captured image is then compared with the stored template that was captured during the enrolment process.
Is it secure?
Based on these figures I am estimating over 20 million iPhone 5S units will be sold around the world by the end of Christmas 2013 - that's a lot of fingerprint sensors. That's more mobile fingerprint sensors than AuthenTec had shipped before being sold to Apple.
Back in 2011 I forecast that there would be 19.4 million mobile devices shipping with embedded fingerprint sensors by 2015. Apple are probably going to blow that forecast in a single quarter.
As a result of this momentous news for the biometrics industry I am going to revise the forecasts from 2011 and publish these in the coming weeks. I feel that Touch ID will have a direct impact on the biometrics industry in general and in particular the mobile biometrics industry. Other mobile phone manufacturers will probably follow-suit with similar solutions, not just fingerprint. Apple also acquired a lot of fingerprint IP when they purchased AuthenTec. This may well restrict what other mobile device ODMs can do with embedded fingerprint sensors.
One this is for certain, the Apple announcement yesterday will propel biometrics into the mainstream. This knock-on effect will not just be for fingerprint sensors but for many other modalities including voice, facial, eye (iris and retina) and other emerging ones such as heart rhythm and behaviour. Linked to attempts to standardise authentication and identity verification (notably The FIDO Alliance) and the movement of identity services to the cloud will bring about a revolution in how we authenticate and identify ourselves for digital services across multiple endpoints (Remember the smart phone is part of a constantly evolving cycle of technology innovation and we are at the beginning of the start of another one - wearable computing).
It is certainly an exciting time for those of us that work in the security and authentication industries.
Alan Goode - September 11 2013
The previous day (09/09/2013) I wrote a blog making predictions on how Apple would utilise the fingerprint sensor. So how did I do?
First, let's take a look at what Apple announced yesterday.
What Apple Announced?
 |
| Source: Apple |
In a video released to coincide with the announcement, Apple's chief design guru, Jony Ive, emphasises that Touch ID is more about convenience than security by saying that it "enhances the user's experience" and "is the next step in using your iPhone" as well as "protecting all of the information" held on the phone.
Touch ID will have two functions at lauch:
- Unlock the phone (iPhone Passcode replacement)
- Authenticate into iTunes (Apple ID Passcode replacement)
How does it work?
Once a user has enrolled (a user can enrol a single or multiple fingers) with Touch ID they can then replace the Passcode to unlock a locked device with the touch of their enrolled finger(s). One of the issues of previous smartphones with embedded fingerprint sensors (including the Atrix 4G) was a lack of other supporting functionality outside of the unlock phone feature. Apple have taken a positive step forwards by also allowing the fingerprint to provide authentication for iTunes payments - replacing the Apple ID password with the fingerprint. Is this the entry point (or pilot) for Apple's fingerprint-authenticated mPayments and will Apple store payments come next?
Technology
As with any embedded fingerprint sensor the service is a combination of hardware and software. The new Home button is made from sapphire crystal that both protects the sensor and acts as a lens to enhance the fingerprint. A steel ring has been inserted surrounding the button that detects the finger and wakes up the sensor (probably saves the battery). The optical sensor takes a high resolution image of the print (taken from the subepidermal surface of the skin to counteract damaged and ageing epidermi). The captured image is then compared with the stored template that was captured during the enrolment process.
Is it secure?
According to Apple, all fingerprint information is encrypted and stored securely in a 'Secure Enclave' on the new A7 chip. Details of this process have not yet been released but I am guessing that a unique key is used for this encryption. There is also mention on whether the hardware protecting the template is FIPS 140-2 compliant.
Dan Riccio, SVP, Hardware Engineering, Apple, has stated that the template is "never accessible by other software, never stored on Apple's servers or backed up to the iCloud". Expect to see these these claims coming under the microscopes of security researchers eager to test out this latest piece of security kit.
No security is 100% secure and optical fingerprint sensors are no exception. There have been a number of well-documented replay and relay attacks on sensors that can circumvent the security or the security process that supports the sensor. I am pretty sure that Touch ID will be successfully targeted and we will see the tech and national press quick to highlight the security failings of Apple's flagship iPhone. The question is whether these attacks can be replicated by the average thief (hundreds of iPhones are stolen on a daily basis). Are we also going to see phone thieves force their users to unlock their devices with their fingerprints or even chop off a finger, as Lookout Mobile Security's Marc Rogers suggests in this interview with the Mirror newspaper. Possibly, but it will be tricky for a violent thief to do this as which finger has the user enrolled? However, if this does happen than it could end up being a PR disaster for Apple.
It is also interesting to hear Apple emphasise features such as convenience and user convenience, not security or theft deterrence. If Touch ID is accurate and speedy, iPhone unlocks and iTunes transactions will be performed at a faster rate than those performed by password-verification.
Did I get my predictions right?
Yesterday I predicted that:
- Apple would release an iPhone with an embedded fingerprint sensor contained in the home button
- The main uses of the fingerprint sensor would be:
- To protect the device (phone unlock)
- Link to iTunes for authentication
- Enable mobile payments using the iTunes account at Apple stores
- It wont be opened up to third party developers at launch
4 out of 5 isn't bad and I feel that if there is a positive reception from iPhone 5S users to Touch ID then Apple will look to other services being included in the service and one of these will be mPayments at physical stores.
I am also confident that we will see this technology embedded within other Apple devices including both the iPad and the iPad mini.
How many iPhone 5S's will Apple sell and what does it mean for the mobile biometric market?
There is a feeling that the lower-priced iPhone 5C will sell more than the Touch-ID equipped 5S but how many units will Apple shift? On its launch last year the iPhone 5 sold more than 5 million units in its first weekend. The last official figures from Apple for Q3 2013 stated that 31.2 million iPhone were sold around the world (that's going to be mixture of 4's, 4S's and 5's).Based on these figures I am estimating over 20 million iPhone 5S units will be sold around the world by the end of Christmas 2013 - that's a lot of fingerprint sensors. That's more mobile fingerprint sensors than AuthenTec had shipped before being sold to Apple.
Back in 2011 I forecast that there would be 19.4 million mobile devices shipping with embedded fingerprint sensors by 2015. Apple are probably going to blow that forecast in a single quarter.
As a result of this momentous news for the biometrics industry I am going to revise the forecasts from 2011 and publish these in the coming weeks. I feel that Touch ID will have a direct impact on the biometrics industry in general and in particular the mobile biometrics industry. Other mobile phone manufacturers will probably follow-suit with similar solutions, not just fingerprint. Apple also acquired a lot of fingerprint IP when they purchased AuthenTec. This may well restrict what other mobile device ODMs can do with embedded fingerprint sensors.
One this is for certain, the Apple announcement yesterday will propel biometrics into the mainstream. This knock-on effect will not just be for fingerprint sensors but for many other modalities including voice, facial, eye (iris and retina) and other emerging ones such as heart rhythm and behaviour. Linked to attempts to standardise authentication and identity verification (notably The FIDO Alliance) and the movement of identity services to the cloud will bring about a revolution in how we authenticate and identify ourselves for digital services across multiple endpoints (Remember the smart phone is part of a constantly evolving cycle of technology innovation and we are at the beginning of the start of another one - wearable computing).
It is certainly an exciting time for those of us that work in the security and authentication industries.
Alan Goode - September 11 2013
Monday, 9 September 2013
iPhone 5S Fingerprint Sensor: What I think Apple will do with it - it's not just about security!
I am writing this blog a day before Apple's September 10 event where it has been widely predicted by journalists and analysts alike that Apple will launch the next generation iPhone with an embedded fingerprint sensor (EFS).
So how will Apple use the fingerprint sensor?
I have been covering this market for many years now (Goode Intelligence published a report in June 2011 investigating the market for mobile biometrics) and spoke with the team at AuthenTec (Fingerprint Sensor manufacturer) before they were acquired by Apple.
I am currently working on a number of projects for Goode Intelligence that cover this market, a report investigating the market for mobile authentication and identity verification that covers biometrics and a report taking a look at the security of wearable technology and how it can be used for authentication purposes.
As part of this research I have talked to many biometric technology vendors, including fingerprint sensor manufacturers, buoyed by Apple's potential move in this area. All of them indicate that Apple will tomorrow launch an iPhone with a fingerprint sensor. I share this prediction - it may come back to haunt me tomorrow when we see an iPhone with no sensor - perhaps its an iWatch with a fingerprint sensor!
I predict that Apple could make use of the embedded fingerprint sensor (probably an optical EFS) in the following ways:
Protect the device
My last smartphone was an Android-powered Motorola Atrix 4G - I think I may have been one of the few owners in the UK. It was not a bad smartphone, OK it ran a pretty old version of Android but I could live with that because it had an embedded fingerprint sensor integrated into the rear of the phone doubling up as a power button (see below) - sound familiar? What I loved about this phone was the ability to unlock the device by using the fingerprint sensor (supplied by AuthenTec).
After a pretty simple enrolment process I could use a fingerprint swipe to unlock the device and in approximately 90% of occasions it worked first time. I regularly travel into London, commuting on public trains and tubes and by swiping the sensor with an enrolled finger I could avoid any potential passcode shoulder surfing - a real deterrent against theft.
What I didn't like about this phone, and this is a lesson for any ODM thinking of embedding a biometric sensor into a phone, was the lack of a supporting ecosystem. By using the lock feature, I could conveniently protect my phone from unauthorised use but little else. Motorola, and this is the same mistake made by other fingerprint sensor manufacturers who have sold to laptop and netbook OEMs, didn't create the supporting ecosystem (APIs or SDKs) that could be utilised by other stakeholders, such as third-party app developers and service providers. No one, outside of Motorola, could utilise the benefits of the sensor.
So enough about Motorola, let us turn to Apple. I believe that Apple will launch with a fingerprint-enabled unlock feature on the iPhone 5S users. To protect this device in a similar manner to the Atrix 4G by unlocking the iPhone by use of an enrolled finger swiping on pressing the iPhone home button. The iPhone 5S stroke - coming to a train near you soon!
eCommerce
The second feature that I feel will be fingerprint-enabled from tomorrow will be the ability to use a fingerprint in iPhone initiated eCommerce transactions. The iPhone as a payment method. Perhaps without needing NFC (for now anyway).
Apple has become not only a successful computer manufacturer but a very important retailer of digital media. Earlier this year (June 2013), Apple CEO, Tim Cook, announced the there were 575 million registered iTunes accounts around the world. Accounts do not equate to unique users but even so we must be talking of half a billion people who are iTunes users and who have registered their credit cards with Apple.
These 575 million iTunes accounts have downloaded a total of 50 billion apps from the app store and paid for billions of dollars of digital content including films, music and books. According to CNNMoney iTunes generated $12.9 billion in 2012. These figures detail the importance of Apple as a very successful retailer, both on-line and physical (There are a reported 413 physical Apple stores located in 14 countries).
Like any successful retailer Apple will suffer from financial fraud and there have been reports of fraud affecting Apple iTunes. By adding the requirement for a second factor (what you are - your fingerprint) in combination of what you have (the iPhone), fraud surrounding iTunes transactions (for iPhone 5S users) could be significantly reduced.
Fingerprints could also be used to protect Apple's wallet service, Passbook. Apple's vision is to have Passbook as a secure wallet service that contains valuable digital files, boarding passes, loyalty cards, event tickets and retail coupons. A convenient and secure method to protect this valuable information would be to fingerprint-enable Passbook.
Passbook may also be turned into a payment tool. I predict that we will see Passbook being used as a mPayment tool with the user's fingerprint being used to unlock the wallet and then to authenticate transactions. Initially I believe that this will be used (think of it as a pilot) in Apple stores. It could work like this. I am browsing in my local Apple store and I would like to purchase a new MacBook Air. I take my iPhone 5S out, open up the Passbook app and authenticate using my fingerprint. I choose the payment feature and this activates the barcode scanner. I scan in the barcode for the Air and press the 'Buy' button. It asks me to verify my identity and I scan my fingerprint (possibly also entering in my Apple ID passcode, although this may be a bit clunky for a physical store). It verifies me as the account holder and then initiates the transaction (checks whether I have the funds and goes through the fraud management system). Happily for me, and for Apple, I pass all the checks and it sends down a receipt to the phone (contained in the protected Passbook). The receipt could contain a barcode that a retail assistant could check before handing over my lovely shiny new gadget. It could work - quick, convenient and pretty secure.
Will it be open?
In conversations I have with technology vendors working in this space I am always asked my opinion on whether Apple will open up the sensor for third-party use (The authentication vendors may be secretly scared of having their business model disrupted by Apple - not the first and definitely not the last). My answer is a qualified no. Apple's history has been to keep its technology within its garden walls and not to open it up. I believe that any low-level authentication SDKs and APIs that directly call the sensor will be shut off from third-party access. It may wish to add some high-level functions to its iOS development library that make use of the sensor for payment and in-app billing features but, at least for the short-term, I would be surprised that they open it up to authentication vendors.
What may happen is a replication of a trend that we are seeing for consumer end-user authentication. The quasi-federated model where a large, trusted, internet service will provide authentication services on behalf of a third-party service provider. For instance, I can choose to authenticate into my Spotify account using my Facebook ID. Facebook have become the broker for my identity (This also includes Google). Apple could offer a similar sort of service using the fingerprint sensor as part of the response to the challenge. Widen its network, gather vital user intelligence and increase its sphere of influence through identity verification services.
To sum up
I know we have been here before (NFC), but I believe that a piece of security kit that has been hidden away in high-security buildings and been collecting dust on laptops around the world will get the Apple magic tomorrow and Apple will make it work. It is being driven by a combination of convenient security and a desire for Apple to benefit from half a billion credit card owners by enabling iPhone initiated payments at physical stores.
This will have a direct impact on the biometric industry and will propel biometrics into the mainstream.
I welcome any feedback from this blog (including typos and factual corrections).
Disclaimer: This is my personal viewpoint and does not reflect those of my employer, Goode Intelligence.
So how will Apple use the fingerprint sensor?
I have been covering this market for many years now (Goode Intelligence published a report in June 2011 investigating the market for mobile biometrics) and spoke with the team at AuthenTec (Fingerprint Sensor manufacturer) before they were acquired by Apple.
I am currently working on a number of projects for Goode Intelligence that cover this market, a report investigating the market for mobile authentication and identity verification that covers biometrics and a report taking a look at the security of wearable technology and how it can be used for authentication purposes.
As part of this research I have talked to many biometric technology vendors, including fingerprint sensor manufacturers, buoyed by Apple's potential move in this area. All of them indicate that Apple will tomorrow launch an iPhone with a fingerprint sensor. I share this prediction - it may come back to haunt me tomorrow when we see an iPhone with no sensor - perhaps its an iWatch with a fingerprint sensor!
I predict that Apple could make use of the embedded fingerprint sensor (probably an optical EFS) in the following ways:
Protect the device
My last smartphone was an Android-powered Motorola Atrix 4G - I think I may have been one of the few owners in the UK. It was not a bad smartphone, OK it ran a pretty old version of Android but I could live with that because it had an embedded fingerprint sensor integrated into the rear of the phone doubling up as a power button (see below) - sound familiar? What I loved about this phone was the ability to unlock the device by using the fingerprint sensor (supplied by AuthenTec).
After a pretty simple enrolment process I could use a fingerprint swipe to unlock the device and in approximately 90% of occasions it worked first time. I regularly travel into London, commuting on public trains and tubes and by swiping the sensor with an enrolled finger I could avoid any potential passcode shoulder surfing - a real deterrent against theft.
What I didn't like about this phone, and this is a lesson for any ODM thinking of embedding a biometric sensor into a phone, was the lack of a supporting ecosystem. By using the lock feature, I could conveniently protect my phone from unauthorised use but little else. Motorola, and this is the same mistake made by other fingerprint sensor manufacturers who have sold to laptop and netbook OEMs, didn't create the supporting ecosystem (APIs or SDKs) that could be utilised by other stakeholders, such as third-party app developers and service providers. No one, outside of Motorola, could utilise the benefits of the sensor.
So enough about Motorola, let us turn to Apple. I believe that Apple will launch with a fingerprint-enabled unlock feature on the iPhone 5S users. To protect this device in a similar manner to the Atrix 4G by unlocking the iPhone by use of an enrolled finger swiping on pressing the iPhone home button. The iPhone 5S stroke - coming to a train near you soon!
eCommerce
The second feature that I feel will be fingerprint-enabled from tomorrow will be the ability to use a fingerprint in iPhone initiated eCommerce transactions. The iPhone as a payment method. Perhaps without needing NFC (for now anyway).
Apple has become not only a successful computer manufacturer but a very important retailer of digital media. Earlier this year (June 2013), Apple CEO, Tim Cook, announced the there were 575 million registered iTunes accounts around the world. Accounts do not equate to unique users but even so we must be talking of half a billion people who are iTunes users and who have registered their credit cards with Apple.
These 575 million iTunes accounts have downloaded a total of 50 billion apps from the app store and paid for billions of dollars of digital content including films, music and books. According to CNNMoney iTunes generated $12.9 billion in 2012. These figures detail the importance of Apple as a very successful retailer, both on-line and physical (There are a reported 413 physical Apple stores located in 14 countries).
Like any successful retailer Apple will suffer from financial fraud and there have been reports of fraud affecting Apple iTunes. By adding the requirement for a second factor (what you are - your fingerprint) in combination of what you have (the iPhone), fraud surrounding iTunes transactions (for iPhone 5S users) could be significantly reduced.
Fingerprints could also be used to protect Apple's wallet service, Passbook. Apple's vision is to have Passbook as a secure wallet service that contains valuable digital files, boarding passes, loyalty cards, event tickets and retail coupons. A convenient and secure method to protect this valuable information would be to fingerprint-enable Passbook.
Passbook may also be turned into a payment tool. I predict that we will see Passbook being used as a mPayment tool with the user's fingerprint being used to unlock the wallet and then to authenticate transactions. Initially I believe that this will be used (think of it as a pilot) in Apple stores. It could work like this. I am browsing in my local Apple store and I would like to purchase a new MacBook Air. I take my iPhone 5S out, open up the Passbook app and authenticate using my fingerprint. I choose the payment feature and this activates the barcode scanner. I scan in the barcode for the Air and press the 'Buy' button. It asks me to verify my identity and I scan my fingerprint (possibly also entering in my Apple ID passcode, although this may be a bit clunky for a physical store). It verifies me as the account holder and then initiates the transaction (checks whether I have the funds and goes through the fraud management system). Happily for me, and for Apple, I pass all the checks and it sends down a receipt to the phone (contained in the protected Passbook). The receipt could contain a barcode that a retail assistant could check before handing over my lovely shiny new gadget. It could work - quick, convenient and pretty secure.
Will it be open?
In conversations I have with technology vendors working in this space I am always asked my opinion on whether Apple will open up the sensor for third-party use (The authentication vendors may be secretly scared of having their business model disrupted by Apple - not the first and definitely not the last). My answer is a qualified no. Apple's history has been to keep its technology within its garden walls and not to open it up. I believe that any low-level authentication SDKs and APIs that directly call the sensor will be shut off from third-party access. It may wish to add some high-level functions to its iOS development library that make use of the sensor for payment and in-app billing features but, at least for the short-term, I would be surprised that they open it up to authentication vendors.
What may happen is a replication of a trend that we are seeing for consumer end-user authentication. The quasi-federated model where a large, trusted, internet service will provide authentication services on behalf of a third-party service provider. For instance, I can choose to authenticate into my Spotify account using my Facebook ID. Facebook have become the broker for my identity (This also includes Google). Apple could offer a similar sort of service using the fingerprint sensor as part of the response to the challenge. Widen its network, gather vital user intelligence and increase its sphere of influence through identity verification services.
To sum up
I know we have been here before (NFC), but I believe that a piece of security kit that has been hidden away in high-security buildings and been collecting dust on laptops around the world will get the Apple magic tomorrow and Apple will make it work. It is being driven by a combination of convenient security and a desire for Apple to benefit from half a billion credit card owners by enabling iPhone initiated payments at physical stores.
This will have a direct impact on the biometric industry and will propel biometrics into the mainstream.
I welcome any feedback from this blog (including typos and factual corrections).
Disclaimer: This is my personal viewpoint and does not reflect those of my employer, Goode Intelligence.
Friday, 9 November 2012
A Smart Mobile Identity for our smart mobile lifestyle
I must admit that I didn’t come up with the term Smart Mobile Identity. For that I have
to thank Joey Pritikin at AOptix who I was
lucky enough to meet at the recent Biometrics
exhibition and conference in London during the last week of October 2012. I
first came across the term in a presentation that Joey gave at last year’s Biometrics
conference where he discussed how standard smart phones can be leveraged
for biometric purposes, including user authentication and identity verification [Presentation: Smart Mobile Identity – Beyond Single Purpose Handheld
Biometric Devices].
In my opinion, the term Smart
Mobile Identity really sums up the next generation of mobile-based
authentication and identity verification solutions – something that I have been
involved in for the best part of ten years through various roles including my
current one as Managing Director of Goode
Intelligence.
To me, Smart Mobile
Identity is about leveraging the capabilities of a modern smart mobile
device (SMD) to ensure that our identities are proven or verified when identity
proof (authentication if you like) is required. Not only for proving identity when
accessing digital services through a desktop computer but also for mobile
initiated access and even when we present ourselves in the physical world; at a
country border or when accessing health or social security services. I also
include proving our identity when accessing digital services using other
connected devices, such as gaming consoles, automobiles, smart TVs etc;
adaptive and agile authentication and identity verification to support the
Internet of things. As someone who owns an Xbox 360 Kinect device, the idea of
using a voiceprint or a facial scan to access Xbox LIVE is a realistic possibility.
For mobile device-based authentication and identity
verification solutions, the simplest scenario is being sent a one-time-password
(OTP) via SMS when authenticating ourselves into a network-based service, e.g.
Google’s Authenticator or 2-step verification process. However, this is
changing rapidly and we are in the midst of an evolution in mobile-based
authentication and identity verification solutions; moving away from porting
existing, non-mobile centric, services to the mobile to designing solutions specifically
for mobile. Using the microphone for voice biometrics, a GPS sensor for
Geo-location, a combination of the accelerometer and touchscreen for continuous
behavioural assessment, securely storing digital certificates in the SIM or Secure
Element (SE) and the camera for facial and eye vein biometrics (take a look at
start-up EyeVerify for this). All these
examples work with standard SMDs now; no need for any specialist equipment.
In addition to these examples, new opportunities are being
presented with the next generation of SMDs that contain new types of embedded
sensors, including NFC, embedded fingerprint and voice recognition sensors. You
can also adapt existing SMDs with add-on sleeves that enable fingerprint recognition
(Precise Biometrics Tactivo
sleeve) and can support smart cards and NFC. The need for single-purpose
devices to capture and verify biometrics in the field may become obsolete as a result
of these developments.
Smart mobile devices offer so many opportunities for authentication
and identity verification and this blog can only scratch at the surface of what
can and will be offered – some of the solutions even encroach into the realms
of science fiction. I was fascinated to come across the iTravel
patent from Apple detailing what the Cupertino tech giant believes to be
the possibility of using a mobile wallet for travel purposes. Managing the end-to-end
travel process from reservation, to ticket receipt/validation, check-in and baggage
claim through to identification at border control. I think all but the last
scenario achievable now but I believe that we are far off from using our mobile
devices as virtual passports.
That said, perhaps we are seeing pieces of the jigsaw that tell
us how Apple will integrate the recently acquired fingerprint sensor technology
from AuthenTec – an agile, and very personal, way to protect our wallets or in
Apple’s case our Passbook. Swiping a
finger to lock and unlock our digital wallets.
Every discussion that I have with technology companies
involved in this space, and this includes many of the major authentication and
biometric vendors, involves how best to utilise the smart mobile device for
authentication and identity verification purposes. My recent attendance at the RSA
Europe conference and Biometrics Conference, both held in London, was largely
occupied with meetings with clients and tech vendors that were investing
serious R&D resources into this area of technology.
A number of forward looking organisations and technology
vendors are already leveraging the capabilities of the smart mobile device for
authentication and identity verification purposes. Through my work at Goode
Intelligence I have been exploring the capabilities of mobile devices for
authentication and identity verification and this includes the recent publication
of two free-to-download white papers; Two-Factor
Authentication Goes Mobile and The
Case for Mobile MFV.
Goode Intelligence will continue to track this market and you
can expect some new publications covering smart mobile identity in the coming
months.
Please get in touch if you want to discuss this further or
are a technology innovator working in this exciting field.
Friday, 27 July 2012
What does Apple's acquisition of AuthenTec tell us about biometrics on mobile devices?
I am not surprised with the news that Apple has acquired mobile security and fingerprint sensor vendor AuthenTec in a deal worth $356m.
I have been following the mobile security market since 2004 and this has included the publication of a report for my research and consultancy company, Goode Intelligence, on mobile biometric security published in June of 2011. Smart Mobile Devices (SMDs), a term that we use to define smart phones and tablets, have become the portable computer of choice for both personal and business use. However, questions remain as to the effectiveness of security controls for these devices with the recent Black Hat conference in Las Vegas being dominated by presentations that detail the vulnerabilities of these devices.
Apple's acquisition of AuthenTec, who are not just about fingerprint sensors, is a positive move by the Cupertino-based company and could lead to next generation Apple products having embedded security controls, both hardware and software-based.
As seen in the Goode Intelligence annual mSecurity survey report, Apple iOS has become the number one choice for the enterprise. This position will be well and truly cemented if Apple strengthens its security as a result of the AuthenTec acquisition.
Will this mean embedded fingerprint sensors in next generation Apple products including the iPhone and the iPad? With the acquisition of AuthenTec this has become more likely. I interviewed AuthenTec as part of my research into the mobile biometric market and back in May 2011 they said this; “the integration of fingerprint sensors into wireless smart phones, feature phones and tablets is in its early stages and will accelerate.” Accelerate as a result of being in every iPhone and iPad? A distinct possibility.
Embedded fingerprint sensors on mobile devices are being used to protect the phone (augment standard phone lock as my Motorola Atrix 4G admirably does) and to provide authentication to support NFC-based transactions, including payments, at physical locations. AuthenTec has been doing well in this market since 2004 when it first supplied fingerprint sensors for Fujitsu mobile phones to be used to secure mobile payments for NTT DoCoMo in Japan. With rumours that the next generation iPhone (iPhone 5) will support NFC, will Apple be combining biometric authentication through the use of an embedded fingerprint sensor for mobile payments at the physical point-of-sale?
I was pretty cautious when forecasting the growth of mobile biometric security products and services back in 2011, predicting that the market would grow to 39 million users by 2015. This quote from the report highlights this; "The market is currently slow; but pressure is growing.
Things could change rapidly, from an interesting concept to a 'must have' for
all smart mobile devices."
I did go on to make a conditional statement that is very relevant with this news;
"However, this could all be thrown on its head with the
introduction of embedded biometrics on mobile devices by one of the major
manufacturers – and not just a single product line but standard on all mobile
phone products. The market is always eagerly waiting for the next generation of
Apple iPhones and rumours are circulating that Apple iPhone 5 may include some
form of biometric technology."
Could this news be the catalyst to accelerate the adoption of biometric security onto smart mobile devices - there is now much more of a chance of this happening. I look forward to seeing how Apple build on AuthenTec's success in the mobile security world.
For news, opinion and analysis on all things mobile security follow me on Twitter - @goodeintel
Subscribe to:
Posts (Atom)