Touch ID and corporate identity: what biometrics is actually useful for, and what to avoid overstating

Apple has just announced Touch ID in the iPhone 5s - a fingerprint scanner built into the Home button. For the consumer market this is a meaningful step: unlocking a phone is now more convenient than typing a PIN. Several companies have already been asking what this means for corporate devices and for security in general.

The answer is not straightforward. Biometrics genuinely makes life easier for users - which is exactly why it has a place in corporate architecture. But taking the convenience of a consumer device and applying it directly to a corporate security model means confusing an authentication factor with an identity system.

What biometrics does well

Biometrics solves a specific problem: the user does not have to memorise a password or carry a physical token. Instead they use something they always have with them.

From a multi-factor authentication perspective, a fingerprint is a "something you are" factor alongside "something you know" (password) and "something you have" (token, phone). Adding that factor genuinely improves security when the other factors are also present.

Another advantage is friction reduction. If biometrics replaces a weak password or a PIN the user would forget anyway, average security goes up. People stop writing passwords on sticky notes.

Where biometrics does not solve the problem

The first trap: biometric data cannot be revoked. If a password is compromised, it is changed in a minute. If a fingerprint is compromised, there is no replacement. A person has ten fingers. After that, nothing.

The second trap: biometrics authenticates the device together with the person, not the person independently. Touch ID says "this phone was unlocked by the person whose fingerprint was enrolled". That is not the same as "this specific employee accessed this corporate resource at 14:32".

The third: corporate identity management policies work at the level of accounts, access rights, and sessions. Biometrics on the user's device does not integrate into that model automatically. Intermediate infrastructure is required - MDM, certificates, federated authentication.

What this changes in a corporate context

The arrival of Touch ID is a reason to revisit not whether biometrics is needed, but how mature the company's underlying identity architecture actually is.

If you have no unified user directory, no password policy, no role-based access control - biometrics will not fix that. It will add a convenient way to unlock a device that still sits in front of the same chaos. The SSO and identity federation infrastructure needs to be in place before adding another authentication factor on top of it.

If the underlying infrastructure is in place, biometrics as an additional factor on mobile devices makes sense. It reduces friction for users and does not weaken the overall model, provided the remaining factors are preserved.

Questions to assess readiness

Before discussing biometrics as a component of corporate security, these questions are worth answering:

1. Do we have a unified identity directory - Active Directory, LDAP, or equivalent?
2. Is multi-factor authentication in place on critical systems?
3. Is there a mobile device management (MDM) policy?
4. How do we handle an employee leaving - how quickly is access revoked?
5. How do we log access to corporate resources?

If there are no confident answers to these, adding biometrics to the picture is premature. Build the foundation first.

Touch ID is an interesting product and likely an important step in normalising biometrics for a mass audience. But user convenience and a mature corporate identity model are different dimensions.