Trail of Bits, a New York City-based information security company, has released Tidas, a first-of-its-kind security tool for app developers that boosts user privacy and minimizes developer liability—all by ditching passwords completely.
Tidas is an iOS SDK that allows developers to offer the strongest user security protections — without the hassle of passwords — on any iPhone running iOS9.
“Mobile apps usually have an awful user experience when it comes to security,” said Dan Guido, a security researcher and co-founder of Trail of Bits. “Trying to enter a complicated password on a mobile phone is difficult, and many users settle for weaker passwords to save time and frustration.”
Tidas is the first system to tap the native security features of Apple iOS9 — Touch ID and the Secure Enclave encryption chip — to identify users without a password. Apps built with the Tidas SDK require users to touch their phone’s Touch ID sensor to create an authentication token, much in the way Apple Pay does to secure payment transactions. The authentication token is based on a cryptographic key that never leaves the Secure Enclave. Apps use this token to verify the user’s identity and access backend services with strong authentication.
Because Tidas operates in the Secure Enclave and neither collects nor stores any personal information, Trail of Bits and app developers have no access to sensitive data, such as passwords or Touch ID fingerprints, minimizing developer liability in the event of a data breach. “Even if a phone is jailbroken or infected with malware, no one can steal the keys from the Secure Enclave,” Guido said. “This is the strongest way to secure a transaction, whether it’s a password authentication or a purchase, and it’s time for app developers and users to benefit from that protection.”
Tidas is available on a free trial basis until March 31. Cloud and private enterprise versions of Tidas are available, allowing both consumer app developers as well as enterprises — especially those with high security needs, such as financial or healthcare institutions — to use the software.
