September 19th, 2013

Did Apple Just Kill the Password?

Written by
 

Password KillerOn the surface, Apple’s recent iPhone 5S announcement seemed just that: all surface, no substance. But as many reviewers have pointed out, the true star of the new model may not be its shimmering gold sheen but instead the finger sensor built into its home button.

Using a fingerprint to prove you are who you claim to be is not new. But building it into a phone is. And as your mobile phone becomes your carrier of content (like photos), currency (like digital wallet) and identity (like keychain) as well as your route to all manner of digital services, proving who you are will become essential for mobile everything.

Before mobile, Web security rooted itself in the username/password paradigm. Your username and password defined the identity you used to authenticate yourself to PayPal, Amazon, Google, Facebook and everything in between. There are stronger ways to secure access to Web sites but written passwords predominate because they are personal and easy to type on a PC, where all Web pursuits took place – until the arrival of the smartphone, that is.

The smartphone and its similarly keyboard-deprived cousin, the tablet, increasingly represent the jumping off point for the Internet. Sometimes, it may start with a browser. Many times it begins with an app. In either case, passwords are no fun when you move to a mobile device. They are cumbersome to type and annoying when you have to type them repeatedly across multiple sites, services and apps. So, anything that diminishes the burden of typing passwords on a mobile device is a good thing.

Apple is not alone in identifying that end users want ways to eliminate passwords on mobile. Our company, CA Technologies, has a sizeable franchise in Single Sign-On (SSO) and strong authentication technologies, which – when applied to mobile – can significantly reduce the burden of recalling multiple passwords across different sites, apps and services. In fact, CA Layer 7 hosted a webinar on this very topic this morning. But what Apple has achieved is significant because it substitutes a highly-personalized biometric for a password. This has the power to streamline mobile commerce, mobile payments and every other kind of mobile-centered interaction or transaction.

Many commentators have rightfully pointed out that biometrics do not offer a panacea. If your fingerprint gets hacked, for instance, it’s hacked permanently. But there are easy ways of augmenting biometrics to make them stronger. Biometrics can be combined with over-the-air tokens like one-time password or supplemented with context-aware server-side challenges that increase their requirements based on risk. But it’s what they achieve when compared with the alternative that makes fingerprint readers so powerful.

The 5S simplifies authentication for the average user, which encourages security use and acceptance. It also eliminates bad mobile habits like using short, easily memorable, easy-to-type passwords that scream insecurity. Apple is not the first vendor to realize consumers don’t like passwords on mobile devices. But by bringing an alternative to the mass market, it is helping to draw attention to the need and the opportunity: killing the password may open mobile to a whole host of novel security-dependent Internet services.

2 Comments »

  1. [...] of Layer 7, an API security and management company that CA Technologies acquired in June.  In this blog entry Dimitri asks the question: “Did Apple Just Kill the Password?”, and calls out the short-term [...]

    Pingback by Biometrics and the iPhone 5S | Security Management — September 20, 2013 @ 5:15 am

  2. We published the translated article on CA Japan Security Blog site.
    http://caj-security.com/blog/?p=1823

    Comment by CA Japan — October 29, 2013 @ 1:54 am

RSS feed for comments on this post. TrackBack URL

Leave a comment