Skip navigation

Leveraging Apple's Touch ID

Screen Shot 2013-09-18 at 9.52.12 AM Apple recently announced their "Touch ID" feature with a range of reactions that sway from consumer excitement to the fear that a severed finger is the next authentication bypass vulnerability we should all worry about. This is of course a big step for biometric technology adoption as Apple has the user base to take this feature from a gimmick to a daily reality for millions. Certainly there will be ongoing concerns about privacy until further technical details are provided about how the fingerprinting process is being handled and stored. Despite all of the concerns, users want to know when their favorite applications will leverage this new technology.

It's important to note that this new feature has been held back from developers for the near-term. Since Apple is releasing this technology for the first time and security concerns are reasonably on the top of everyone's mind, it's sensible for Apple to vet this technology further prior to having every app under the sun start integrating it. This also gives hackers a while to look for vulnerabilities and determine how well this data is being handled by Apple before we all start handing out fingerprints to our phones.

We look at technologies like on-device fingerprint readers as a way for the user to authenticate to their device (user-to-device) and our mobile application as the bridge to authenticate the device to Duo's service (device-to-Duo) and the associated integrations. Our service and mobile app will opportunistically take advantage of any security features on the mobile device. This includes pin/pattern locks, face unlock, fingerprint readers, etc. So while all iOS developers are on-hold to actually leverage this new technology for now, we're constantly evaluating the technologies that are available for use to help increase the security and experience of our offerings.

Mark Stanislav

Security Evangelist

@markstanislav

Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark has spoken internationally at over 75 events including including RSA, DEF CON, ShmooCon, SOURCE Boston, and THOTCON. He earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University.