Since the introduction of smartphones with advanced capabilities, a debate has raged over whether to trap information, including biometrics, on the device or make it available everywhere you are, by placing it in the cloud. Having lost a cell phone during a business trip in Chicago, I’m not certain that I ever truly embraced the on-device only mantra.
Still, the early influencers and industry leaders such as Apple and Samsung, along with security alliance organizations such as FIDO all proclaimed that they were committed to “on device” security and authentication only.
For more experienced biometric veterans, limiting the use cases of a valuable identity assurance tool like biometrics to in-device only simply didn’t make sense, because face to face identification and cross-device identity isn’t addressed, omitting a large portion of the value proposition for biometrics. Devices are lost and stolen and more importantly we use multiple devices to access information and consummate transactions on a daily basis and enrolling on each device could create an even bigger security risk as individual will have multiple identities associated with their devices. It’s also likely that even the most amateur of hackers can break the security code of most any device. So, then why contain security and authentication solely on the device?
Well, Apple could be doing an about face, as it files patents to move biometrics from the device to its cloud hosting store in iCloud. Will other device manufacturers follow suit and will those that have been steadfast about on device security start to soften their commitment? Apple iCloud Patent
We all understand that until Apple and the others strengthen their security platforms, that high stakes transactions will be consummated in traditional manners. Banks, retailers and the many enterprises are all sitting on the sidelines with mobile strategies and plans, but they’re putting those plans on hold until they are confident that the security can withstand inevitable attacks.
In the end, like many things in life, it may call for simple compromise. Moving forward we sense that we’ll see a combination of “on device” and cloud based authentication as we store less personal, more common information on the device and send all of the private, business and high stakes data thru the cloud. On device and cloud security, a marriage made in cyber heaven.