Biometrics use “inherent” factors (something the user is) to authenticate a user’s identity. Relative to knowledge- and possession-based authentication methods (something the user knows and something the user has), inherent authentication factors like biometrics are difficult to steal and spoof. We can’t easily tell when a fraudster uses a stolen password or mobile device, but with biometrics and liveness detection we can better detect when a fraudster is at work so that their access can be prevented.
Increasingly, modern smart phones incorporate biometric authentication capabilities, often using custom sensors.
But incorporating biometrics into the mobile application achieves several goals:
- Authentication performance that is known, and not dependent on user’s device.
- Flexibility to apply different biometric modalities and matching thresholds.
- Consistent user experience between devices.
- Universal support for password free experience regardless of user device.
Using multiple biometric modalities for authentication (e.g. keystroke analysis with facial recognition) can achieve higher biometric performance by creating more obstacles for cybercriminals without compromising convenience.
The Ongoing Debate
While most security experts can see eye-to-eye on the benefits of biometric-based mobile authentication, the underlying architecture with which to implement biometrics is less clear; more specifically, whether a server or device-centric architecture is more effective and secure.
The client-versus-server debate is as old as computing itself; we have seen it take place in countless other computing applications and environments. There have been ebbs and flows as mobile devices, networks, and software have become much more powerful and sophisticated. At its most basic level, biometric authentication has a lot in common with other classic computing tasks; the need to capture data, analyze the data, provide a result, and do it in a secure and efficient fashion. So we see some of same issues with biometrics that we have seen before.
This paper illuminates some of the question around device and server-centric biometric authentication by identifying their respective strengths and weaknesses and providing examples of where one may be preferred over the other.
In this setup, the biometric template is enrolled and stored centrally in a secure server. Matching and liveness detection upon an authentication attempt are performed centrally, as opposed to on each individual device. Each time the user performs a verification attempt, the captured sample is sent to the central matching engine, where it is processed and matched against the enrolled template stored centrally.
The analysis, biometric template creation, storage, and matching all occur locally on the device. In a FIDO-compliant system, a successful biometric match grants access to a private key stored on the device, which is in turn used to respond to a PKI challenge from a relying party, such as a bank or retailer whose app is running on the device. The private key never actually leaves the mobile device.
Advantages of Each
Clearly there are advantages, disadvantages, and tradeoffs associated with both architectures. These characteristics will lend themselves to distinct use cases. Where one method may excel another may fall short, but one is not necessarily better than the other.
Which is best depends on your priorities