Are biometrics the future for mobile authentication?

Fingerprint scanners like Apple's TouchID add another security layer to business devices

TODO alt text

Past attempts to introduce biometrics into business have proved futile. When laptops featured fingerprint scanners years ago, one expert was able to bypass security using a gummy bear.

But now, improved and more accurate touch scanners are bringing biometrics back into the security domain. The convenience of Apple's iPhone TouchID technology has appealed to the mass market, making it increasingly likely to appear in a corporate setting.

Apple TouchID
Apple's TouchID system

The idea of fingerprint scanners is also backed by vendors including Microsoft as an improvement to static passwords. As such, Windows 8.1 gives users the option to switch accounts and to pay for apps using this method. Meanwhile, Fujitsu is using fingerprint scanners on some of its laptops in Japan.

In the smartphone space, a wide range of devices - such as those made by HTC and Samsung - are likely to introduce scanners in the near future, while Google's Android has already dipped its toes into biometric authentication.

Some businesses will look into multimodal biometrics, which features multiple methods of identifying the user, bringing down the potential for error. Devices such as the Xbox One are already doing this by combining elements including voice and facial recognition.

Mobile devices are thought to be the next big driver for biometrics, so it's not surprising that authentication based on behaviour is another growing area. This type of biometrics can be based on elements such as typing behaviour, Thomas Bostrom Jorgensen, CEO of security vendor Encap, says: "The way you type can be used to build a profile and the device can then recognise the user."

Bypassing biometrics

So how easy are mobile biometrics to bypass? The security community isn't convinced by their viability.

In September, the German Chaos Computer Club (CCC) claimed to have defeated Apple's scanner using a latex copy of a fingerprint. The group thinks that it is "plain stupid" to use a method of authentication "that is left around every day".

"We have said now for years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints," a hacker with the nickname Starbug said at the time.

Therefore, on their own, scanners such as those used by Apple are just "security theatre", says Jon Inns, Director of Project Management at security company Accumuli."Even with TouchID enabled you still have a PIN on the iPhone 5s; the fingerprint doesn't replace that entirely – so fundamentally we're still securing sensitive information with a password," he says.

Scanners

Biometrics can be bypassed; it depends on the scanner's accuracy, Adam Badaoui, Cyber-Security Consultant at Information Risk Management, says. He adds that iris scanning, where authentication is based on a person's eye, is probably the most accurate method.

Biometrics that use what is dubbed 'local' features are also thought to be more secure, but they are complex to achieve. The first step is to capture the image; then processing is done to enhance it and make sure it's read. Next, 'binarization' takes the image and represents it in a digital form, after which the picture must be thinned down. This a complicated process using multiple algorithms.

Biometrics can also be expensive and it is therefore unlikely they will be adopted on a massive scale just yet. However, with Apple, Microsoft and Google's Android on board, it is likely this form of authentication will start appearing on an increasing number of mobile devices. When biometrics does become widespread, it will come as part of a business' layered security strategy along with mobile device management (MDM) tools, rather than forming a standalone method of authentication.