Generic selectors
Exact matches only
Search in title
Search in content

How to Use Apple’s Touch ID for Two-factor Authentication

09/12/2014 / 0 Comments

With the forthcoming release of Apple’s new iOS8 operating system for iPhone and iPad devices, there is tremendous excitement about a wide range of new features. However, one of the biggest impacts of iOS8 may be in cybersecurity, where Apple’s Touch ID API has potentially opened the door for iOS fingerprint scanning and biometrics to be deployed in two-factor authentication for websites, applications, and enterprise environments.

On its own, two-factor authentication is a great concept, but nearly all existing two-factor login solutions still require users to enter passwords during their login, which gives criminals the continued incentive to exploit security weaknesses and compromise user accounts through hacking, malware, and phishing.

Eliminate passwords and SMS codes with biometric two-factor authentication

The end game for cybercriminals is to steal passwords and other sensitive user credentials and then use them to access personal, confidential, and financial information from user accounts and servers. Thus, any secured service that continues to use passwords or other sensitive credentials during the login process will automatically be a prime target for cyber-attacks.

Most two-factor authentication solutions use SMS text codes to help bolster the security of traditional ID and password login combinations. With these solutions, users must log in using their ID and password and then receive a special one-time access code via SMS text transmission to their mobile device. Then they must enter the code through the login process in order to verify their identity and authenticate the login session.

Unfortunately, while SMS-based two-factor authentication provides better security than ID and password combinations alone, the SMS method has already proven to be highly insecure and prone to exploits by attackers. Cybercriminals have already used these exploits to attack Swiss banks and use malware and man-in-the-middle attacks to thwart the same types of SMS two-factor authentication methods that are used by the biggest names in technology and business.

This is partly what has inspired speculation about the potential for Apple’s biometric fingerprint scanner to transform user account security and help developers and businesses address two-factor authentication vulnerabilities. As Dan Goodin, Security Editor of Ars Technica, has summarized it, “Adding true two-factor authentication to the iPhone would indeed be something I consider innovative.”

Now that Apple has provided its Touch ID API for use by developers, this innovation has become reality. By replacing SMS codes with Apple fingerprint biometrics, it is now possible to log into websites, applications, and networks using verification that avoids the problems of typical two-factor authentication methods.

Use Apple´s Touch ID fingerprint to log into websites, applications, and networks

Moreover, with the right encryption and technology, developers and businesses can take cybersecurity a step further by deploying a two-factor authentication method that not only uses the Touch ID fingerprint for verification but also eliminates passwords and other sensitive credentials from the login process. Thus, it is now possible to provide two-step verification that does not use, transmit, or store passwords or confidential credentials of any kind, thus making it physically impossible for attackers to steal credentials and compromise user accounts.

SecSign Technologies, a cryptography and data security company, has already integrated Touch ID with its SecSign ID product, which provides multi-factor mobile authentication that eliminates passwords from login processes and offers the added protection of Apple’s fingerprint security.

SecSign ID will allow Apple’s Touch ID to be integrated and used as an added layer of biometric security in providing mobile, multi-factor authentication that replaces passwords with 2048-bit encrypted key pairs. Using public key infrastructure (PKI), which involves the same principles and core elements of smartcard security, SecSign ID ensures that sensitive credentials are never entered during login, stored on a server, or transmitted between the authentication server and the user’s mobile device.

As a user of this authentication method, the login process is simple:

  1. Enter your non-confidential user name, which you have choosen and registered in the free SecSign mobile app
  2. Confirm the login with your fingerprint and possession of the 2048-bit private key stored on your mobile device
  3. Select the correct access symbol in the SecSign ID app. The correct symbol matches the one that is shown on the login screen for the secured service.

Using these simple steps, a user can log in and authenticate within seconds.

Get powerful login security that makes hacking, phishing, and malware obsolete

Behind the scenes, the security is professionally engineered and designed from the ground up to ensure the strongest possible protection. To start the login process, users simply enter a non-confidential user ID to initiate the login through a website or application. This prompts the authentication server to issue a challenge that is sent to the user’s mobile device through the free SecSign ID mobile app. This challenge must be signed with a 2048-bit encrypted private key that is stored in the app on the mobile device. The key is protected by a patented SafeKey mechanism that protects the key from brute force attack, even if the user’s mobile device is lost or stolen.

To verify identity and allow the private key to digitally sign the challenge, the user can quickly scan the required fingerprint with Apple’s Touch ID scanner. For users who do not own or use an iOS8 device, SecSign ID also offers the option for users to verify their identity with a 4-digit PIN or a passcode. And the Touch ID verification can be combined with the 4-digit PIN or passcode to effectively create a three-factor authentication method.

This addresses one of the initial concerns about using fingerprint biometrics for logins, which was that it might be possible to clone a person’s fingerprint and use it to gain unauthorized access to a user account. But SecSign ID can combine a user’s fingerprint with additional verification requirements, thus making it virtually impossible for an unauthorized user to log into a secured service, even with a cloned fingerprint.

Important: Neither the fingerprint nor the PIN or passcode are ever transmitted. They are used only within the mobile app to verify identity and rightful ownership of the private key.

All of these verification methods are used only in the mobile app, so there is nothing that is transmitted to the authentication server or stored in a database. This means that there is nothing for attackers to steal from a server or from the login process via brute force, phishing, or malware.

Protect your back-end and identity access management (IAM) systems with 2048-bit PKI authentication that supports Apple fingerprint logins

As John Fontana of ZDNet has pointed out, “For Touch ID to have serious impact, it needs to integrate with back-end IAM systems that enterprises have already spent millions to develop. It needs to be a factor in authentication to all applications.”

SecSign ID’s PKI authentication technology accomplishes this with two options that allow Touch ID to be integrated for use with all enterprise applications, networks, and other systems. It can be deployed for free in the cloud and integrated using convenient plugins for developers, or it can be deployed as an on-premise solution and installed on enterprise architecture, behind a company firewall, with centralized administration and reporting.

SecSign ID’s introduction of mobile two-factor authentication with Touch ID verification is a considerable breakthrough for developers and organizations that need to implement the strongest possible security to protect user accounts and confidential data. As Apple is set to launch the official release of iOS8, SecSign ID is poised to become the first solution to bring Apple’s fingerprint biometrics to developers and enterprise environments for two-factor login security.

You can watch a brief video of the Touch ID two-factor authentication process on the SecSign ID YouTube channel, and you can learn more about SecSign Technologies and SecSign ID by visiting

SecSign 2FA