ThorneLabs

Using TouchID to Authenticate Against Websites

• Updated January 10, 2019


When Apple introduced TouchID with the iPhone 5s I knew it would slowly become a game changer. I say slowly because Apple did not open up the TouchID API to third-party Apps until recently with iOS 8.

Before iOS 8, TouchID could only be used to unlock the phone and authenticate against iTunes. Now, with the TouchID API open to third-party developers, it is only a matter of time until third-party iOS Apps begin using TouchID everywhere. 1Password, LastPass, Dropbox, and Scanner Pro, just to name a few, already have TouchID built-in to unlock the App.

Apple has already expanded upon TouchID by making it a key authentication piece in Apple Pay.

But, what comes next? What more can be done with TouchID to take it to the next level?

I want to use TouchID to authenticate against websites.

Apple could create a new service, let’s call it Apple Auth, that provides an authentication API anyone can use to provide authentication on their website. How would this work?

When you go to a website that offers TouchID authentication, you specify that you want to sign-in using TouchID (this is not much different to websites that allow you to sign-in using OpenID or Facebook Login).

You are then redirected to an Apple secured login page that is aware of what website you are trying to sign-in to. If this is the first time you are signing in to that website you are required to sign-in to iCloud using your username and password. With a successful iCloud login, that website is now associated with your iCloud account. Subsequent log ins to that website will allow you to just enter your iCloud username and iCloud will send a push notification to your iOS device requiring your TouchID fingerprint. You will have to apply your TouchID fingerprint within a certain time frame, say five seconds. If the authentication succeeds, a success result is sent back to iCloud which sends the result to the website and logs you in. If the authentication fails, a fail result is sent back to iCloud which sends the result to the website and you will have the option to login with your iCloud password. If you fail to login with your password then you of course are not logging in to that website. This gets everyone one step closer to the utopian world that does not require anyone to remember passwords.

But usernames are not exactly secret or secure, they aren’t suppose to be. What if someone knows your username and tries to login? It would quickly get annoying having TouchID push notifications sent to your iOS device that you did not initiate. When the TouchID push notification appears on your iOS device you would have the option to flag it as fraudulent. This would be a two step process so you do not accidentally flag a legit TouchID notification as fraudulent. Flagging a TouchID push notification as fraudulent would block that IP address from ever logging in to that website again using your iCloud username. You would be able to add and remove IP addresses from the fraudulent list through your iCloud account.

However, this authentication service is not something only Apple can do. Because third-party iOS Apps now have access to the TouchID API, anyone could create such a service. OpenID and Facebook already have authentication infrastructure in place. Facebook could easily create a Facebook-authentication-only App to do everything mentioned above. OpenID could as well.