Apple should make authentication its next killer app
Some small additions in iOS 13 could point towards bigger implications for Apple and authentication in the long-term.
By Dan Moren, Contributor, MacworldJUL 25, 2019 9:00 pm PDT
When it comes to security, we often think primarily of protecting our data: encrypting it to make sure that nobody else can access it. But just as important as that is the concept of authentication: proving that we are who we say we are.
Apple has made great strides with authentication in the past few years. Biometric measures like Touch ID and Face ID help make it easier for users to identify themselves and ensure that only they can access their private data.
In Apple’s usage, that authentication has generally been inward-facing: users control access to their own files and data, and the system checks to see whether or not we are the person who should be allowed in. But beginning in iOS 13, a few minor updates will start moving that authentication into the public realm, opening up the ability for us to prove our identity to others. And there’s a lot more room for Apple to expand there.
Hello, my name is
We’ve all had the experience of using iMessage or SMS and not knowing who’s on the other end (or, as the kids say, “new phone, who dis?”). Whether it’s because it’s a wrong number or someone that we’ve met but haven’t yet put into our contacts, it can be frustrating to just have a string of numbers as identification. Apple has tried to mitigate this in recent years by using information from your email or other apps to try and guess who’s calling or texting you. For example, if you’ve been emailing with someone and their number is in their signature, iOS can cross-reference that information and let you know what it finds.
iOS 13 will take this further by allowing iMessage users the ability to voluntarily share their names and an image of their choosing with contacts, even if they’ve never been in touch before. (Users get to control whether everybody can automatically see this, only one’s existing contacts, or whether they’ll be prompted each time.) This turns iMessage into something a little closer to a social network, but—more to the point—it also potentially provides a degree of identification by linking a name with an iMessage account.
From what we can see of this system so far, it doesn’t go quite far enough to be considered authentication, as users can set their own name and image. It’s unclear at present how or if this feature will prevent someone from impersonating another person. But it’s a step closer to providing a framework where users don’t have to guess who’s contacting them.
You sign in, Apple signs off
Likewise, Apple’s new Sign In with Apple system launching this fall also endeavors to provide a degree of authentication and identification with external services. Since it’s keyed into Face ID and Touch ID, the sign in can authenticate you, and then pass along that authentication information to the website or app in question. While that may not seem much different from our current situation, the significant change here is that Apple can do all of this without sharing that information with the service in question.
Part of Sign In with Apple is the ability of Apple to safeguard your personal information, such as your email address;
as previously discussed, the system will even generate a random email address that points back to your own account. Apple, essentially, intermediates the authentication process, which puts the company in the interesting position of being the arbiter of who claims to be who.
This isn’t precisely a new role for Apple, either: Apple Pay is built on a similar idea, with Apple obfuscating your real credit card number in order to prevent fraud. Payment vendors and banks alike have agreed to trust Apple’s judgement as a middleman.
Nice to meet you
Apple is in the rare circumstance to be able to take this even further. The company has already implemented a
web of authentication, with systems in place to help individuals prove that they are who they claim to be, including knowledge factors (passwords and PINs), ownership factors (devices like an iPhone or Apple Watch), and inherence factors (biometric data), that taken together can provide a pretty conclusive call on the identity of a user.
But if Apple pointed these systems outwards, it could help to provide more assurance that the people users deal with are who they say they are as well. Imagine if such a system could be used to verify that you’re exchanging emails with the correct person (and even seamlessly encrypt those messages in the bargain). Or if you could easily exchange, say, a password-protected note or file that could only be opened by the intended participant, without users having to handle the cumbersome process of exchanging a password.
Certainly, authentication systems already exist, but they’re mostly technical and unfriendly, which means they’re not the kind of thing that gets used by the people who arguably need them the most. Apple’s already taken steps in the right direction with things like end-to-end encryption in iMessage, but authentication is something that often gets overlooked. Apple’s combination of hardware, software, and services adroitly positions the company to help provide easy and seamless authentication to its customers. And, in the long term, making authentication available to anybody on a platform benefits everybody on that platform.
Dan has been writing about all things Apple since 2006, when he first started contributing to the MacUser blog. He's a prolific podcaster and the author of the Galactic Cold War series, including his latest, The Nova Incident.