Expanded Apple Touch ID payments can succeed – but should they?

Expanded Apple Touch ID paymentsApple’s strategy for mobile payments is becoming clearer – the convenience of Touch ID payments for any and every purchase.  The Wall Street Journal has a good piece on it.

Now Sebastien Taveau, a FIDO Alliance expert and founding board member, has weighed in on Apple’s Touch ID payments.  He damns Apple’s biometric security vision with faint praise, noting that at the very least it needs a second authentication factor:

“The assumption that only the Touch ID will be part of the transaction-confirmation process is probably incorrect,” Taveau said. “Based on the technology around the latest iPhone and other Android-based devices, multi-sensors are used and provide a dual process: active authentication and passive signature. Multi-factors combining user and device signatures is the key to success.”

So should Apple’s expanded Touch ID payments succeed?  No.

Without the added security of a second authentication factor, Touch ID is a single point of vulnerability for any Apple ID account holder.  If the mobile device is compromised or the Touch ID database itself is breached, all stored cardholder information is exposed.  And given the flawed implementation of Touch ID, it’s not a robust biometric authentication method to begin with.

The new FIDO standard also has a passwordless biometric authentication method.  However, the FIDO UAF standard incorporates a transparent, seamless second factor of authentication that all but eliminates cyber fraud linked to account login and payment authorizations.

Where does SurePassID come down on this issue?  Squarely on the side of the FIDO Alliance.  We believe in a future of biometric-enabled identity and access management that eliminates passwords – but only if secured by an additional authentication method that is out-of-band (OOB).