In many ways, biometric authentication is superior to a traditional password due to its convenience and resistance to common attack vectors. But biometric authentication still faces its fair share of threats.
If a hacker gains access to a user’s biometric data, that user can’t reset their biometrics the way they might reset a compromised password. Malicious actors can also use fake mobile biometric input to spoof mobile devices.
Organizations that support and manage mobile devices should learn about biometric authentication advantages and disadvantages for enterprise mobility.
What biometric authentication does right
Biometric authentication is the process of verifying a user’s identity based on unique physical characteristics, such as the user’s retina, voice, fingerprint or facial features, and it presents a number of advantages. The most common approaches to mobile biometric authentication are fingerprint scanning and facial recognition. One of the biggest advantages to fingerprint and facial scans is the degree to which biometrics simplify authentication.
Mobile users only need to place their finger on a scanner or look at their device’s camera to gain immediate access to the mobile device. They do not need to enter or remember complex passwords and passcodes, nor do they need to deal with password refreshes.
Mobile biometric authentication based on physical characteristics is more secure than traditional passwords. This is because each user’s biometric characteristics are unique, so the biometric authentication factor provides a high degree of certainty that the individual logging onto the device is indeed the owner of the device.
Password-based authentication is notoriously flawed and hackable. Users can lose, forget or accidentally divulge their passwords, and hackers can steal or crack passwords. In contrast, biometric authentication makes it much more difficult to guess the authentication factor or trick users into revealing it. Additionally, users cannot forget biometric factors in the way they could a passcode.
Mobile biometrics come out ahead of other biometrics, as well, because the users’ data is stored on the device and never transmitted across networks or collected on centralized servers — two common criticisms of biometric authentication. Today’s mobile devices also take important measures to protect the data on the device, such as using advanced encryption and isolation techniques.
Where mobile biometrics can go wrong
Mobile biometric authentication is more convenient than passcodes, and mobile devices have several safeguards for biometric data. But these devices might still be vulnerable to significant risks. Hackers are continuously looking for ways to penetrate biometric defenses.
There is a chance, for example, that hackers could break into iOS’ Secure Enclave, the specially designed storage location that ensures biometric data never leaves the iOS device, and reverse-engineer the biometric file to access the data. The odds of a hacker accomplishing this feat might be slim, but no system can ensure indefinite immunity to all threats. Even if Android and iOS were able to guarantee such protections, there are other less direct risks to consider.
In 2015, for example, cybercriminals targeted the U.S. Office of Personnel Management and stole the fingerprints of 5.6 million current and former government employees. The hackers could come up with a way to use these fingerprints to target mobile devices that rely on fingerprint authentication. Initially, this type of attack might be limited to direct physical attacks that target the devices of specific individuals, such as high-profile users with access to sensitive data. At some point, however, the criminals might also figure out ways to spoof mobile devices remotely, making it possible to hack them en masse.
In the same year that hackers targeted the Office of Personnel Management, researchers demonstrated how they could remotely steal fingerprints from Android devices and gain access to them. Although Google has since fixed this security hole, it demonstrates that mobile biometric hacking is hard to predict and difficult to prevent, especially if the would-be hackers are motivated enough.
Part two of this two-part series discusses the potential logistical and legal concerns of mobile biometric authentication in the enterprise.