mobile purchase authenticationBiometrics are the heir to the password for the reign of secure authentication. There are good reasons for that; our biometrics are naturally unique to us and could hardly be more convenient. They will enable strong authentication to become a seamless, transparent process that make login easier and more secure. But there are different ways to implement biometric authentication and they’re not all created equal.  Each has pros and cons for a given environment and application.

The most obvious alternatives in implementing biometrics are among the different “modalities” like fingerprint, face, eye, iris, voice, and keystroke; they each have their own personality. For authentication on a mobile device, there are hardware-based constraints that dictate modality options, and not all devices on the market are the same, particularly across different geographical regions. Many smart phones incorporate fingerprint sensors and software used for authentication, and some are even introducing iris, which definitely has strong potential but requires infrared illumination of the eyes. But these are proprietary to the device; you get what you get, and they don’t necessarily perform as desired for every application and environment (e.g. online shopping at a friend’s house vs. approval of financial transactions on a crowded subway car).

Biometric authentication can be implemented independently from those offered by the device, which is desirable for optimizing authentication performance and features for a particular application. Another benefit is that they can operate within and application more uniformly across different devices in terms of user experience and functionality. Biometrics implemented independently from the device use universal input peripherals such as the camera, microphone, and touchscreen instead of the authentication hardware and software offered by the device supplier. This can give an app provider more control over the desired functionality and performance. An approach emerging is to enable multiple modalities and give users a choice between which (one or more) to use.

Facial recognition can be used on any device with a front-facing camera, including smart phones, tablets, and laptops. Facial biometrics are convenient and popular with users, but can be more susceptible than other modalities to spoofing attacks, where a fraudster uses a digital image or video of their victim’s face to impersonate them.  It’s important to implement robust liveness detection to reduce this risk.

Another alternative to consider is between a device- and server-centric approach; where to store enrolled reference biometric data and where to perform subsequent comparisons upon authentication attempts; on the device or centrally on a server. Each offers advantages and disadvantages in terms of security, performance, and functionality depending on the application, but both are likely to see widespread adoption.

In a device-centric model, a biometric comparison is performed on a mobile device or PC, which can then be used to satisfy a cryptographic challenge/response between the consumer and the relying party (the party relying on the authentication, such as a retailer). A leading standard for a device-centric model of authentication called “FIDO®” from the FIDO Alliance has been broadly advocated, and will likely emerge as a dominant mechanism for strong authentication on smart phones and PCs.  Because device-based biometric authentication does not require central storage of biometric data, it can’t lead to a large-scale breach where many biometrics are compromised at once. The FIDO approach offers additional security advantages over centrally stored passwords. But a lost or stolen device can always provide opportunities to attempt to defeat security measures and commit fraud.

A centralized, server-centric model requires storage of biometric enrollment data on a centralized server platform, and transfer of biometric data to the server for comparison upon an authentication attempt.  This architecture might be used where stricter control of the authentication process, strength, and performance is desired, such as for managing employee access to a company’s digital assets.

For both device- and server-centric models, there is risk that in the event that biometric data is compromised, they no longer offer a secure authentication method, given their inherent permanence. But while it is possible that a physical biometric source (e.g. synthetic finger) be reproduced from a compromised biometric template and then used to spoof an authentication, it tends to be a tedious, unreliable, and detectable process, and it’s becoming more so as anti-spoof technology matures. “Renewable biometrics” have the potential to address that issue even more resoundingly.  Here, biometric templates are encoded in a way that allows them to be matched in an obfuscated domain where the original biometric features are scrambled. Renewable biometrics are maturing and gaining adoption.

Biometrics enable secure authentication to be implemented with layers of challenge and risk to fraudsters that outweigh the value of the targeted asset. Like all security mechanisms, biometrics can be defeated with sufficient effort, but the barriers are high and are getting higher with techniques that make spoofing unattractive to the vast majority of even the most talented and ambitious fraudsters. Biometrics are particularly effective when combined with other approaches (e.g. the ability to erase a smart phone remotely), because they are so different; they have the effect of increasing not only the effort required to defeat security measures but also the variety of skills and knowledge required to do so. This is the essence of the power of biometrics as a complementary authentication approach.