Handset leaders add biometrics and NFC, dawning a new era in mobile as a credential
Bring Your Own Device is the new sheriff in town and its deputy is Bring Your Own IDentity. But to follow the analogy, we’re still living in the Wild West. Thankfully, however, the future looks brighter as manufacturers are producing devices with greater security capabilities. This promises to both protect corporate resources and open doors to use of the mobile as a secure identity token.
Tablets and handsets have become the go to devices for employee use, replacing desktop and laptop computers. Increasingly, employees are the ones who own these devices but are using them for both work and personal purposes. Thus the same employee-owned device enables access to secure corporate resources as well as apps, games and family photos.
Using the mobile device as an identity token is the dream for enterprises that may soon be realized. As more devices deploy biometrics, use near field communication and Bluetooth low energy, securing devices and using them as tokens is becoming a reality. Organizations are also working on standards that will make the ubiquitous mobile the token everyone owns.
A biometric on every handset
Two-years ago, the number of biometric-enabled handsets in the field numbered in the thousands. Since then, Apple has released three iterations of its iPhone handset complete with a fingerprint scanner. This year, Samsung did the same with its flagship device, and a host of other makers are poised to follow the trend.
There are now tens of millions of handsets in the market that can be secured with a fingerprint. What’s more, the biometric capabilities embedded in these devices can also offer secure access to apps on the phone, easing the pain of having to type long passwords on tiny keyboards.
Apple wasn’t the first device manufacturer to put a fingerprint scanner on a device, but it might be the first to have done it well. While Touch ID was initially limited to control access to the handset and iTunes store purchases, it has since been opened up, enabling app developers to take advantage of the scanner. The newly announced Apple Pay service will also leverage it to authorize purchases made via the handset.
Samsung’s Galaxy S5 has similar abilities and can authorize payments with PayPal. Galaxy S5 owners can make purchases at brick and mortar merchants that accept PayPal and users can also authorize payments online.
Developers can also use the fingerprint scanner on the Galaxy for access to apps, but there hasn’t been a rush to take advantage of the functionality, explains Alan Goode, principle at Goode Intelligence.
“A few smaller banks have done it to gain publicity,” he says. “Some larger banks may integrate a part of it into their banking app, but don’t yet know if it will be for primary authentication or secondary authentication while in the app.”
One issue is the detail around the authentication protocol. Developers don’t know the details surrounding the accreditation and certification of the fingerprint scanner so there are trust issues, Goode says.
Though currently it might not be secure enough for some providers, more will begin to take advantage of the fingerprint scanner, Goode says. Organizations might do some authentication to the device – for instance, send an OTP – before enabling the scanner so the device is registered before the fingerprint is enrolled.
Nok Nok Labs has already enabled the Samsung scanner and is planning to release a client that takes advantage of Touch ID, says Brendon Wilson, director of product management at Nok Nok Labs. The FIDO client will enable organizations to do more with the fingerprint scanner than just unlock the device.
Nok Nok Labs will enable remote authentication without having to rely on Apple’s iOS keychain to store the passwords, instead creating a secure bridge that uses cryptographic keys rather than passwords, Wilson explains.
With Apple, Samsung and other manufacturers implementing fingerprint and potentially other biometric modalities, it’s important to be able to use these technologies for a wide range of purposes in a secure manner, Wilson says.
Whether or not Apple will change the face of online identity, Wilson wouldn’t say, but the company is having an impact. “It sets a new expectation around user experience,” he says.