A step forward but more needs to be done
Apple’s iOS 8 won’t be released till the fall but Nok Nok Labs has already tested and integrated its Multi-Factor Authentication Client with the Touch ID API.
It took Nok Nok engineers two days to plug Touch ID to the FIDO Alliance client, meaning any existing application integrated with the FIDO iOS client will be able to start using this feature when it’s released.
A video shows how to set up online authentication with Touch ID, and use the fingerprint sensor to approve a transaction confirmation.
While Apple’s Touch ID API is a step in the right direction, the API provides only two capabilities: the ability to determine if the user was successfully authenticated to the device using the fingerprint sensor; and the ability to unlock iOS keychain data with successful fingerprint authentication.
While both capabilities offer local authentication, they do not provide a way for the application or the user to authenticate to a remote server. App developers looking to implement remote authentication must create another solution.
One possible solution for remote authentication is to use the Touch ID Keychain API to store passwords. A successful fingerprint authentication will unlock the password, enabling the app to use the password for authentication to the server. While easy, this method still retains the legacy security problems of passwords including the vulnerability to server side attacks on password databases. The user also bears the burden of keeping passwords in sync between the iOS keychain and the server, raising the possibility of user confusion and friction.
A more secure and user-friendly option would be for the app to generate a private-public key pair. The private key would be protected by Touch ID/iOS Keychain combination while the public key would be stored on the server.
This option would require developers to create a cryptographic protocol to use these keys for remote authentication. Doing so calls for significant expertise in security practices to avoid vulnerabilities in key generation, cryptographic operations and protocol design. Additionally, the end-to-end system must be designed carefully to protect the user’s privacy.