twobee - Fotolia


Is Apple Touch ID security ready for enterprise adoption?

Touch ID is now available for integration into native iOS and third-party applications, opening up a wide array of uses. Now, the ball is in enterprise IT's court.

Now that Apple has opened up Touch ID for use in applications, the time has come for companies to consider it as part of their enterprise mobility strategies.

Apple introduced the Touch ID fingerprint recognition feature with the iPhone 5s in late 2013, but at the time Touch ID's only functions were to unlock a device or approve purchases with an iTunes account. With the launch of iOS 8 in September 2014, Apple broadened the use of Touch ID to include native and third-party applications. Apple made this possible by adding several thousand application program interface (API) options for developers.

Before we dive into the pros and cons of using Apple Touch ID security, I should dispel the most common misconception: Touch ID is not meant to replace passwords; it's essentially a shortcut to a password. Before enabling Touch ID, users must first enter their authentication credentials for a specific device or application. Much to my dismay, Touch ID also isn't really designed for multiple people to share the same device, although this is more of a concern for smaller enterprises that can't afford the cost of purchasing and securing a device for each employee.

Touch ID security opportunities

Touch ID is now available to be integrated into third-party apps, which will prove especially valuable to companies that have the resources to develop in-house apps. Touch ID is also an integral part of the Apple Pay feature that was introduced with iOS 8. Retail transactions just became more versatile, as users can now potentially approve a purchase or sale with the touch of a fingerprint.

Several companies have jumped on the Touch ID bandwagon, using the new developer tools to integrate Touch ID into their apps. Amazon has updated its 1-click payment feature so that it's compatible with Touch ID, although the caveat is that you need an Amazon Visa card. Meanwhile, apps like 1Password; a popular password management service, Scanner Pro, which allows easy access to documents; and Encap Security, a multifactor authentication service, have all added Apple Touch ID security as well.

Those are some of the more popular use cases, but Touch ID's utility doesn't end there. Here's an example: In my former job, I worked with agents who managed an entire team of employees. When workers would visit a customer outside the office, they would usually bring along an iPad. Every dime counts, so rather than purchase multiple tablets, agents would purchase one iPad to be shared by their entire team. This practice wouldn't fly under a lot of mobile security policies, though, because employees higher up in the food chain frequently have privileged access to corporate data.

Previously, with iOS 7, any of the employees registered with Touch ID access to an iPad could pretty much access whatever apps and data were located on that specific tablet. This situation can now be avoided because of the new flexibility to apply Touch ID to specific applications. IT could configure an iPad to be mostly open, but also use Touch ID to protect business apps containing important data.

Risks associated with Touch ID

With all these opportunities, what are the risks?

Some people have gained unapproved access via Touch ID by replicating the fingerprint of an approved user with silicone and graphite, but don't lose too much sleep about it. I have yet to hear of someone doing this vindictively; the examples to date have all been controlled experiments.

The other issue is not a flaw, per se, but a feature that some users might mismanage. Apple devices have the ability to remember multiple registered fingerprints, but iOS 8 still doesn't allow differentiation among them. In other words, you can't give your spouse, child or anyone else limited Touch ID access. If that person is registered on your device, they can use their fingerprint to access any Touch ID-enabled app. This is a potential red flag for enterprises that employ a bring your own device policy where an iPhone or iPad often serves as a business and personal device.

Finding the right use cases

Enterprise mobility management tools are just starting to scratch the surface of Touch ID's potential, and with the new APIs we should continue to see new use cases. Also, as the Internet of Things becomes more pervasive in coming years, that should open up new use cases that we haven't even considered yet.

We are just starting to see the benefits of using Apple Touch ID security, and it will soon be pervasive in the enterprise. Use cases will continue to sprout up across the spectrum of mobile device management, mobile application management and app development.

Dig Deeper on Enterprise mobile security