Authentication debate fuelled by Apple Touch ID is in itself a game changer

There's a good debate on ZDNet between John Fontana and David Braue around the issue of whether Apple's Touch ID is a game changer. I've spoken to, discussed things with and read stuff written by both these guys, so I can vouch for the fact they know what they are on about, which is why I'm sort of fence sitting in the context of their actual debate. But if someone shook the fence I'm currently sitting on vigorously and I assume the question was framed around Touch ID in its current form (or rather, how it will be when the iPhone 5s is released in a few days), I'd probably fall onto the side that John's on.

John makes 2 really great points that I wholeheartedly agree with:

"Currently, Touch ID has no way for the enterprise to tap the technology into their identity and access management systems."

and

"...without an SDK, developers that made the App Store explode won't be able to lift a finger to raise Apple's security profile above a whimper."

He's right. But I believe Apple will eventually allow developers to hook into Touch ID, albeit indirectly. Apple does not build things into their devices without a long-term strategy for them.

Those of us in the IT security field are paid to be paranoid and sceptical, so I can understand how security professionals are not jumping on the Apple fanboy bandwagon. Interestingly enough, many are closet Apple fanboys when not doing their day jobs. One thing we all struggle with however, is getting people to actually care about security, let alone openly debate it.

While I don't believe that Touch ID in its current form is a game changer, the fact that Touch ID's lit the fire under the authentication debate is. That is something only companies like Apple can do.

While it may seem self-serving to quote myself, that's exactly what I'm going to do. I said in my previous blog post:

"...it will take at least one well-known brand with a significant amount of consumer influence to fork-lift-point us down the non-password oriented identification path."

Apple's done that. If you read some of David's arguments in the debate, he's actually projecting potential future applications of Touch ID, not features it will have upon initial release:

"MDM tools are all about adding a layer of control to distant mobile devices, and fingerprints are a readily available way for distant users to prove their identity."

and

"Better API access would allow developers to use fingerprints anywhere they now require user ID-and-password combinations."

Sitting firmly perched back on my fence, I agree with John that Touch ID in its current form is not a game changer. But I agree with David that Touch ID's potential, with the Apple juggernaut behind it, is.

At the very least, the fact that authentication has become a hotly debatable topic in the mainstream is the actual, indisputable game changer that Apple's managed to fuel with the introduction of Touch ID. As an added bonus, if your day job is to sell security internally to C-level decision makers, here's a potential way in to start those security conversations. Remember to leave the propeller hat behind in your desk drawer.