As IOS8 was made available last month, numerous organizations have jumped on Touch ID fingerprint bandwagon and updated with their application with Touch ID support. I think this is a step in the right direction as passwords are slowly becoming a thing of the past and have shown to be easily hacked by most hackers. Not only are passwords weak protection against breaches, they are also hard to memorize especially with volume of password a single person has to remember and the different and often complex configurations sites require today.
Local fingerprint biometrics is definitely going to increase security, convenience and drive more application usage. However, local biometrics still has lot of hurdles before being widely deployed to completely put password to bed. As you may have noticed, passwords are still an option as a form of login in almost all the TouchID deployments. With Touch ID, you have two ways into your house: use the same password door as before or use the fingerprint door.
Remember that passwords allow customers to login from any devices, while Touch ID is only available on some phones. It is true that passwords will not go away completely anytime soon, but now we can now feel more comfortable setting up silly complex passwords without having to memorize it and type it when login. That said, I don’t think that Touch ID alone should be considered replacement of second factors. Second factor authentication is like two locks on the same door and usually that second lock is a remote authentication method.
Apple Pay is example of why Touch ID should not be the only security layer for protecting sensitive data and financial transactions. Most media outlets talked about Touch ID to show how Apple Pay was secure and it makes sense as most consumers can easily see the security value of a fingerprint over a password. Apple didn't spend much stage-time explaining the tokenization process of Apple Pay, but the method is the real security innovation of the offering and it’s seen as one of the most secure and fraud-proof payment mechanisms available. Tokenization removes the actual credit card number and replaces it with a randomly generated number. Apple could have come up with Apple Pay without Touch ID but not without tokenization.
At Easy Solutions, we have incorporated Touch ID into our mobile authentication offering to provide additional convenience and security when responding to a push authentication request or unlocking soft token codes. Push authentication verifies our client’s end-user identity and devices via push notification sent through a secure communication channel. Touch ID will clearly increase the level of trust of the user’s identity compared to PIN or Passwords.
Support for the Android-based Samsung Galaxy S5 is scheduled to go live in the coming months.