Touch ID brings Hollywood tech to the masses
Apple introduced Touch ID in its iPhone in 2013 — the first implementation of biometric identification in common, consumer-level devices.
In the decade since, fingerprint and facial recognition have deftly added convenient security to nearly every new mobile device and computer. Where biometric identification was once relegated to high-security installations and Hollywood movies, it’s now integrated into our everyday use of technology.
Most cybersecurity measures that we recommend will trade off between convenience and security: we want our data protected, but also not so locked down that workflows are impacted. Biometric identification is one of the rare tools that increases security and convenience at the same time.
- Your fingerprint and face identify you and you alone — unlike passwords, which can be shared or stolen.
- Presenting your fingerprint or face to your device is quicker, easier, and less prone to data-entry errors than password or passcode entry.
- Biometrics are highly resistant to fraud, and extremely secure. (Unless you’re Nicholas Cage in the 1997 action hit Face/Off, the chances of someone stealing your face are quite limited.)
Limited integration of biometrics on computers
Mobile devices have integrated biometrics for many functions that need additional security — not just to unlock your phone, but to log in to specific apps and make payments. But laptops and computers have lagged behind in implementation, often using Apple’s Touch ID and Windows Hello only for unlocking the computer and making certain system-level changes: logging into your important web-based services is still usually done by password because your web browser can’t tap into the secure biometric identifiers saved to your device.
As we have pushed for clients to enable multi-factor authentication (MFA) for everything under the sun, we’ve found users suffering from “MFA fatigue” — being asked too many times a day for a password and additional passcode — that weakens their acceptance of MFA as a security measure. That reluctance is itself a security vulnerability, leading users to resist implementing MFA.
Enter JumpCloud Go
JumpCloud (the service we use most often for our Identity Management service) has taken advantage of its unique position as an authentication provider for devices and services to bridge the gap between biometric verification and service authentication. Their tool, JumpCloud Go, enables users to log into federated services in their web browser using just Touch ID or Windows Hello.
- Users and their devices need to be enrolled in JumpCloud, so local computer login credentials are managed by JumpCloud.
- Macktez binds organizational services like Google, Microsoft, Zoom, Dropbox to JumpCloud SSO.
- Users set up Touch ID or Windows Hello on their computers.
- Macktez pushes the Chrome extension JumpCloud Go to users’ computers.
Now when users login to a bound service — Google, for example — instead of JumpCloud prompting for a password, JumpCloud prompts for biometric verification: users get a more secure and more convenient way to login to their most important online services.
Device trust
In our implementation of JumpCloud Go, we prefer to add an extra step of security to the initial computer login. Yes, that means retrieving an MFA code when you first login to your computer after a reboot. But that additional step provides another layer of trust for the device, and lets us have full confidence that bypassing MFA later in favor of device biometric verification is entirely secure.
We implemented device MFA and JumpCloud Go on Macktez workstations last year and we love it. Since then, we’ve helped a number of existing clients upgrade their security profile, and made this a default implementation for new clients. Especially for users suffering from MFA fatigue, JumpCloud Go is an excellent tool for tighter compliance and stronger security.