ra2 studio - Fotolia

Apple eyes cloud storage for Touch ID biometric data

According to a new patent application, Apple is looking to expand its Touch ID biometric verification system through the cloud. But will the biometric data be secure?

According to a recently released patent application, Apple Inc. may be planning to store customers' biometric data in the cloud.

Apple's Touch ID biometric verification system, which the company introduced in 2013 with the iPhone 5s, enables users to unlock the device or make purchases in Apple's iTunes or App Store through a built-in fingerprint scanner. The biometric data from Touch ID is encrypted and stored on the device's processor and isn't available to any other apps or third parties.

But that could change, according to a new patent application for what the vendor described as "finger biometric sensor data synchronization via a cloud computing device and related methods."

The patent application, which was published earlier this month with the U.S. Patent and Trademark Office and was first discovered by AppleInsider, describes a process by which the fingerprint data generated by Touch ID on an iPhone would then be sent to "a cloud computing device capable of uploading and storing the enrollment finger biometric data." The second, cloud-enabled device would also have a biometric sensor of its own that could match the fingerprint data of the Touch ID device.

As a result, according to the patent, Touch ID could be used not only to unlock an iPhone but also to make electronic payments with secondary devices via the cloud, as well as near-field communication or Bluetooth. The biometric data wouldn't include actual fingerprint scans but rather "enrollment fingerprint data" and account-verification data generated by the Touch ID device.

"The first processor may also be capable of encrypting the enrollment finger biometric data," the patent reads, "and the second processor may also be capable of decrypting the enrollment finger biometric data."

Previously, Apple has emphasized that Touch ID biometric data isn't stored anywhere beyond the "secure enclave" of the A7 chip on the user's iPhone. Not even the operating system on that device has access to the fingerprint data.

"Therefore, iOS and other apps never access your fingerprint data," Apple's website states, "it's never stored on Apple servers, and it's never backed up to iCloud or anywhere else."

Avivah Litan, vice president and distinguished analyst at Gartner Inc., a Stamford, Conn.-based analyst firm, said there's a good reason for restricting biometric data this way.

"Biometrics is fraught with privacy concerns. It's very controversial when you start storing biometric data across different companies or even within a single company," Litan said. "And everyone gets nervous when you talk about storing in the cloud."

If the biometric data is only ever stored locally on a device, Litan said, that severely limits what Apple could do with the data. But if Apple can extend that data to third parties to be used, for example, to enable electronic payment verification, then it could be a powerful addition to Apple Pay, the company's new mobile payment system.

"This seems like a natural extension of Apple Pay," she said.

But Litan said Apple must overcome a number of hurdles to turn that vision into reality, the first and most pressing being security concerns.

"Even if these devices are just exchanging enrollment data and not actual fingerprints," she said, "you have to be concerned about hackers obtaining an algorithm or whatever tool is used to unlock that data."

Another obstacle will be convincing merchants and financial services firms to support Touch ID-enabled payments and to rely on an iCloud-like service to authenticate payments -- without being able to store the biometric data on their own servers.

"Banks aren't interested in things like FIDO biometrics because the data is stored locally," Litan said. "If they're authenticating their customers with biometrics, then they want to control that process."

On the other hand, Litan said, a number of banks and large retailers have already announced support for Apple Pay. It's conceivable that these same banks might agree to support Touch ID for payment authorizations, she said, but only in exchange for owning part of the process, or perhaps being able to validate biometric data. However, that may create attack vectors for malicious hackers looking to obtain users' biometric data in addition to their credit card numbers and PII.

"This [patent] is good for Apple," she said, "but I'm not sure it's good for everyone else."

Next Steps

Can Touch ID and iOS 7's new security features improve mobile security for Apple?

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices