twobee - Fotolia

Get started Bring yourself up to speed with our introductory content.

Is Apple Touch ID security ready for enterprise adoption?

Touch ID is now available for integration into native iOS and third-party applications, opening up a wide array of uses. Now, the ball is in enterprise IT's court.

Now that Apple has opened up Touch ID for use in applications, the time has come for companies to consider it as part of their enterprise mobility strategies.

Apple introduced the Touch ID fingerprint recognition feature with the iPhone 5s in late 2013, but at the time Touch ID's only functions were to unlock a device or approve purchases with an iTunes account. With the launch of iOS 8 in September 2014, Apple broadened the use of Touch ID to include native and third-party applications. Apple made this possible by adding several thousand application program interface (API) options for developers.

Before we dive into the pros and cons of using Apple Touch ID security, I should dispel the most common misconception: Touch ID is not meant to replace passwords; it's essentially a shortcut to a password. Before enabling Touch ID, users must first enter their authentication credentials for a specific device or application. Much to my dismay, Touch ID also isn't really designed for multiple people to share the same device, although this is more of a concern for smaller enterprises that can't afford the cost of purchasing and securing a device for each employee.

Touch ID security opportunities

Touch ID is now available to be integrated into third-party apps, which will prove especially valuable to companies that have the resources to develop in-house apps. Touch ID is also an integral part of the Apple Pay feature that was introduced with iOS 8. Retail transactions just became more versatile, as users can now potentially approve a purchase or sale with the touch of a fingerprint.

Several companies have jumped on the Touch ID bandwagon, using the new developer tools to integrate Touch ID into their apps. Amazon has updated its 1-click payment feature so that it's compatible with Touch ID, although the caveat is that you need an Amazon Visa card. Meanwhile, apps like 1Password; a popular password management service, Scanner Pro, which allows easy access to documents; and Encap Security, a multifactor authentication service, have all added Apple Touch ID security as well.

Those are some of the more popular use cases, but Touch ID's utility doesn't end there. Here's an example: In my former job, I worked with agents who managed an entire team of employees. When workers would visit a customer outside the office, they would usually bring along an iPad. Every dime counts, so rather than purchase multiple tablets, agents would purchase one iPad to be shared by their entire team. This practice wouldn't fly under a lot of mobile security policies, though, because employees higher up in the food chain frequently have privileged access to corporate data.

Previously, with iOS 7, any of the employees registered with Touch ID access to an iPad could pretty much access whatever apps and data were located on that specific tablet. This situation can now be avoided because of the new flexibility to apply Touch ID to specific applications. IT could configure an iPad to be mostly open, but also use Touch ID to protect business apps containing important data.

Risks associated with Touch ID

With all these opportunities, what are the risks?

Some people have gained unapproved access via Touch ID by replicating the fingerprint of an approved user with silicone and graphite, but don't lose too much sleep about it. I have yet to hear of someone doing this vindictively; the examples to date have all been controlled experiments.

The other issue is not a flaw, per se, but a feature that some users might mismanage. Apple devices have the ability to remember multiple registered fingerprints, but iOS 8 still doesn't allow differentiation among them. In other words, you can't give your spouse, child or anyone else limited Touch ID access. If that person is registered on your device, they can use their fingerprint to access any Touch ID-enabled app. This is a potential red flag for enterprises that employ a bring your own device policy where an iPhone or iPad often serves as a business and personal device.

Finding the right use cases

Enterprise mobility management tools are just starting to scratch the surface of Touch ID's potential, and with the new APIs we should continue to see new use cases. Also, as the Internet of Things becomes more pervasive in coming years, that should open up new use cases that we haven't even considered yet.

We are just starting to see the benefits of using Apple Touch ID security, and it will soon be pervasive in the enterprise. Use cases will continue to sprout up across the spectrum of mobile device management, mobile application management and app development.

This was last published in January 2015

Dig Deeper on Enterprise mobile security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which of the new Touch ID capabilities have you found most useful?
Cancel
I honestly feel that additional biometric factors like touch could be key in helping better secure systems.  I would be cautious however to put too much faith in technology that is still early in adoption.  But I think combining multiple biometric factors can begin to build a multi-factor identification that will be harder to guess or break.
Cancel
Who comes up with this stuff... No serious security professional would consider using the Apple Touch ID approach for Enterprise security.  The biometric fingerprint is a one-time key. If ever compromised the identity is totally compromised.  No way to change your fingerprint(s). It is not sustainable or viable over time.  Changing the access credential is a requirement over time. 
Cancel
HContrex, I agree that nobody should consider Touch ID as a standalone security solution. But don't you think it has a place as part of a multifactor authentication strategy?
Cancel
Love the idea of incorporating Touch ID into corporate IT authentication. The key is to make sure there is absolutely NO way to 'spoof' ID's.
Cancel

-ADS BY GOOGLE

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close