Apple has a trick it repeats every few years. It takes a technology or concept that has been around for some time, and makes it attractive and accessible for consumers. The iPod was far from the first mp3 player, but has been so successful that ‘iPod’ is
now almost a generic term in the same way as ‘hoover’ and ‘frisbee’.
The addition of Touch-ID last September was another example. Biometric identification has been around for quite some time – the Motorola Atrix, for example, debuted with one in 2011 - but its implementation ensured that it remained a quickly-abandoned gimmick.
Users of laptops with face recognition and fingerprint scanners tend to log in with a password rather than fiddle with technology that fails to ‘just work’. Touch-ID, on the other hand, has been successful enough that Apple is opening the technology up via
API so it can be used to authenticate users logging into, for example, mobile banking.
NFC is also far from a new technology – the Nokia 6131 was the first phone to have NFC way back in 2006 – but it’s failed to really get off the ground. Any retailer that accepts contactless already has the hardware to accept NFC payments. But both retailers
and consumers have been reluctant to engage with the technology - it doesn’t on the face of it offer any great advantage over other forms of payments. Those advantages do exist, of course, in the value-added services that can be offered, but convincing people
to try it has proved challenging.
The mobile payments industry has been praying for NFC to be added to an Apple device for a few iterations now, and with Apple Pay, the combination of NFC and Touch-ID, it has finally happened. With Apple’s track record, it could be what makes NFC payments
mainstream. The Apple Pay service already has the backing of several retailers, and the Apple fanbase is known for it’s enthusiasm in embracing what the company has to offer. But there’s a potential problem for Apple ahead: security.
Thanks to an iCloud hack that revealed more than a few celebrities wanted to, Apple’s security has come under scrutiny in the last few weeks. Touch-ID may seem impregnable – you can’t guess a fingerprint like you would a password – but this is misleading.
It’s trickier to subvert a fingerprint than a password, but it’s not impossible - Touch-ID was ‘hacked’ less than a month after introduction. We leave our fingerprints wherever we go, and removing a fingerprint from, for example, a discarded coffee cup is
not the science fiction it might first appear. And while you can issue a new PIN or password you can’t issue a new fingerprint – not without it being very messy.
A single factor will always be vulnerable to attack – whether it’s a PIN, a password, or a fingerprint.
Apple, and any other companies looking to use biometrics, needs to rethink how they approach security and authentication. Smart devices are capable of providing a great deal of context information, and this information – e.g. behavioural or location-based
– can be used together with the device, a PIN and biometrics to create context-based multifactor security to better secure identities and transactions. Relying on a fingerprint creates a single point of vulnerability – and as time goes on and security improves
elsewhere, these weak points will be where criminals target their efforts.
With the details of another malware retail hack emerging, this time with Home Depot, consumers are likely to be very cautious about how they pay. Any worries about security could kill NFC before it gets off the ground.