Why Touch ID is a Bigger Deal than You Might Think

During Apple's event this week the description of Touch ID was a bit muted. It was not heralded as the greatest thing that would change the world all over again, but rather, an easy way to unlock your iPhone and make purchases. It was marketed as a way to increase security since half of smartphone users don't even have a passcode set (let alone a stronger password). This all sounds kinda ho-hum to users who never cared about having a passcode anyway. Media outlets took the same stance with Touch ID. The basic reaction was "cool, but is it really a big deal or a solution looking for a problem?" Some of the media asked the question about "Passbook Integration" or "Mobile Payments". Those things are very interesting and well understood (your fingerprint would authorize access to charging your credit card or debiting your gift card), but there are other important potential aspects of utility for Touch ID.


via images.apple.com

iCloud Keychain Integration

The key to understanding the first part of the future of Touch ID is by looking at what was *missing* from the iOS 7 Gold Master that appeared in all the previous beta releases: iCloud Keychain.


via cdn.macrumors.com

I believe the iCloud Keychain was delayed in the wake of the privacy invasions from the NSA. Apple needs to make sure that the likes of the NSA don't have access to your iCloud Keychain. They will likely launch this feature next month with Mavericks. So why does iCloud Keychain matter with Touch ID?

Your iCloud Keychain stores your credentials for the various websites you visit and automatically fills them in upon your request when you visit those websites. If you have ever used something like 1Password or LastPass, then you know exactly what iCloud Keychain does. You activate the feature, the browser searches for "password" and "user name" fields on the page and automatically fills in the values saved in your keychain. The keychain is encrypted with a single password that you know but you avoid sharing with the websites that you visit. For software like 1Password, your "one password" never leaves the machine on which you type it.

The cool thing about these "keychain" or "password vault" systems is that they vastly increase security by generating a unique random (hard to guess) password for each website you visit. This means that if one of these websites has a security vulnerability that leaks your password to a hacker, that hacker could not use the same email address and password to access your GMail or Yahoo or Facebook account because they would presumably use distinct passwords. You only need to remember your "one password" or your "last password".


Icon1p_medium1Password is software for Mac, Windows, iOS and Android written by AgileBits. It will sync your password vault over DropBox for access to all these platforms. AgileBits does not know your "1 Password" that unlocks them all. 1Password provides browser extensions for all major browsers and provides an embedded browser in their iOS app with auto-fill functionality (since Mobile Safari does not provide for browser extensions). 1Password can also store software registrations, encrypted notes and information not necessarily associated with a website.

Logo_lastpass_mediumLastPass is a cloud-based password vault that functions through browser extensions. It functions similar to 1Password but is free to use with a premium subscription option. LastPass maintains your password vault on their servers.


Now imagine this same sort of technology where the password vault does not require a long hard-to-guess password that you have to enter on a tiny mobile keyboard to unlock it and access your passwords, but instead, access to your password vault is authorized via the touch of your fingerprint.

When you visit a website in Safari that presents a login page then either Safari can detect the password field on the page and prompt you to auto-fill the credentials (which you can cancel or authorize with your fingerprint -- just like iTunes Store purchases). Perhaps even a button to activate the feature (I have not seen how iOS 7 iCloud Keychain gets activated) then you will be prompted to cancel access to the keychain, enter a password to unlock the keychain or authorize access with your fingerprint. At the very least Apple could require the actual password vault once every day or two but allow fingerprint access in between.

Third-Party Keychain Integration

Now Apple has been big on promoting native apps over web apps. If iCloud Keychain works for websites, then why not provide a native iOS API for third-party apps to request that the operating system fill in the authentication fields. Perhaps this happens by giving iOS 7 a mapping of field names to references to on-screen text-entry and password-entry controls. When the user is prompted to cancel or authorize the action with a fingerprint (or their iCloud password) then iOS simply fills in the fields with the values stored in the Keychain. Of course this requires that you never provide the credentials associated with one app to another app, but that is handled by having signed applications and an application identifier.

You would no longer have to enter passwords to login to apps like Bank of America, Chase, Wells Fargo, Moneywell, iBank or a host of other financial applications. You could easily access your AT&T or Verizon account without having to remember your password to check on usage for the month. Any third party app requiring authentication is suddenly available at your fingertips.

Parental Controls

The third opportunity (in addition to mobile payments and Passbook integration) is something that likely won't make its way to iOS until Touch ID is on every iPod Touch and low-end iPhone and iPad. The iOS "restrictions" settings is already pretty good, but it is lacking in certain things. Indeed on a Mac I can prevent access to specific websites and applications and then authorize access for "Always" or "One Time Use" with my administrator password when my kids need something. Imagine instead if you could prevent access to web videos or web pages for your kids, but when they wanted access you could provide it for "one time" or "always" by using an "administrator fingerprint".

What if your kids wanted to play a game when you wanted them to be reading or listening to music (maybe you don't allow games at night). The old solution is just to take away the iPad, but increasingly, iPads are becoming the tool of education in elementary school, middle school and high school. What if you could block an app unless your fingerprint authorized one-time access? Your kids would have to come ask before they could open certain apps.

What about web-based videos or YouTube? What if the iOS video player could enable a white list of videos your kids could watch while preventing them from playing others. This could be handled with a simple checksum of the video and associating that with a whitelist or by associating a URL with the whitelist (though a checksum prevents the kids from accessing the video if it has changed). If you only had to touch your finger to activate this, it would be fantastic.


Touch ID seems to have a near-term future and a long-term future for Apple. I expect to see it on every iPhone, iPad, iPod touch, MacBook and maybe even on Apple's Magic Trackpad (though wireless transmission of fingerprint data could be a problem). Once it is integrated with iCloud Keychain (hopefully next month) and eventually third-party apps it will become something that people could not live without. Your website passwords and app passwords will become more secure because they will be randomly generated by iCloud Keychain and they will be unique to a single service. And users will go from having the same password with every website and no password on their device or PC to using a fingerprint-accessible auto-generated password to unlock a vault of strong randomly generated passwords that are unique to each service.

Sure their are security concerns. If there is a way in (and there has to be) then there is a way to break in. But today's anti-solution of reusing the same easy-to-guess password on every website and not locking one's device or PC with a password is far less secure. Touch ID is the beginning of a massive shift in security because it brings convenience to security (even if it makes you use your actual password once per day with follow-on authentication via fingerprint). All that is left is for Apple and security experts to vet out the potential risks so users can understand where they are vulnerable when using Touch ID. But it provides a huge opportunity for the future of authentication.