And many consumers who ran out to pick up the new iPhone when it went on sale Friday may find themselves at odds with their information technology departments when they report to work Monday. Few companies and government agencies allow their employees to use fingerprint IDs to unlock iPhones being used for work. It may take months or longer before these businesses adopt the new technology.
The iPhone 5s is the first Apple device with a built-in fingerprint scanner on the home button. Instead of entering a four-digit code, a user needs only to place a finger on the button to unlock the phone.
Apple says it will only store the data on the device in an encrypted format rather than sending the information to its own servers. Apple will also block third-party apps from accessing what the company calls “iTouch ID.”
This week, Sen. Al Franken (D-Minn.) sent a letter to Apple chief executive Tim Cook noting how fundamentally different biometric identifiers are from previous ID methods:
“Passwords are secret and dynamic; fingerprints are public and permanent. If you don’t tell anyone your password, no one will know what it is. If someone hacks your password, you can change it — as many times as you want,” Franken wrote. “Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.”
Franken wants to know more about the technical possibilities of Touch ID and how Apple plans to use it — as well as what diagnostic information, if any, the iPhone 5s transmits about the Touch ID system to Apple and third parties. And he wants assurances that Apple will never share the fingerprint data or the tools needed to get them with commercial third parties.
Another important question is whether Apple considers fingerprint data to be the contents of communication or a subscriber identity under the Stored Communications Act. This is particularly important because content data require a warrant to be released to law enforcement, but a subscriber ID or number needs only a subpoena. Similarly, Franken asks if Apple considers fingerprint data to be subscriber information that the company could be compelled to share by the order of a national security letter.
Apple did not respond to a request for comment.
Besides privacy concerns, many companies will probably want to run their own tests on the system before adding it to a list of security measures required for employee devices.
Chris Hertz, the chief executive of the IT firm New Signature, said that he expects it will take businesses three to six months to begin adding fingerprint data to their existing protocols.
“People within the security community want to get their hands on the iPhone and hammer against it to see how secure it really is,” he said.
That is certainly the case for Dave Frymier, chief information officer for Unisys, who said that while his firm has discussed letting employees use their fingerprints as a form of identification, Unisys will have to thoroughly test the sensor first.
But overall, including fingerprint technology may be better for company security, Frymier said. Even when firms require passwords or four-digit pins on their devices, he said, employees still often choose codes that are easy to crack.
“Even though we try to discourage our employees from using things like ‘1111,’ they are often pretty easy to guess,” he said.
Tim Hoechst, chief technology officer at the software and security firm Agilex, said the broad appeal of the iPhone and its new fingerprint technology could actually help persuade workers to secure their devices.
Many consumers do not even bother to put up a pass code on their phones.
“It’s a lot more secure than nothing.” Hoechst said.
Still, if enough consumers adopt the technology and clamor for their IT departments to support it, the adoption of the scanner among companies and government agencies could happen faster.
“It’s like anything in mobile, speed in adoption in enterprise is driven by speed of adoption by users,” added Ojas Rege, vice president of strategy at MobileIron — a firm that helps businesses manage their employees’ mobile devices. “If your CEO says this is how I want to do it, these things happen a lot faster.”