Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Expanded Apple Touch ID payments can succeed, expert suggests

Apple CEO Tim Cook addressed using the Touch ID to expand the mobile payments market at the company's quarterly earnings call on Monday, a move that could allow consumers to make a wider variety of purchases by simply scanning a fingertip.

“The mobile payments area in general is one that we've been intrigued with,” Cook reportedly said in response to a question. “That was one of the thoughts behind Touch ID, but we're not limiting ourselves just to that.”

The question comes on the heels of a Thursday Wall Street Journal story that suggested Apple is seeking avenues to expand its mobile payments to allow for the purchase of physical goods through payment cards on file in the iTunes stores.

iPhone 5s users can already make digital iTunes purchases by simply swiping their fingers across the Touch ID, but because the technology is young and shown to be easily bypassed, the feature's security has been a heavily discussed issue.

Sebastien Taveau, a founding board member of the FIDO Alliance, an organization that addresses online authentication, told on Tuesday that the Touch ID architecture aligns well with FIDO Alliance views.

“Locally stored credentials on the device to be used to ‘release' a secondary step shared between the device and the cloud is a high level of security resting on user presence, device integrity and trusted connectivity between an account holder and a service provider,” Taveau said.

Where Apple stands to fail in this endeavor is if standalone single factor authentication is used, according to Taveau, who said that centralized databases of personal information are ripe for the picking by attackers. He added that the template – the fingerprint, in this case – must be stored locally.

“The assumption that only the Touch ID will be part of the transaction-confirmation process is probably incorrect,” Taveau said. “Based on the technology around the latest iPhone and other Android-based devices, multi-sensors are used and provide a dual process: active authentication and passive signature. Multi-factors combining user and device signatures is the key to success.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.