Biometric Authentication: Making mobile devices and apps safer
According to comScore, from September 2010 to September 2014, smartphone usage increased by 394 percent, while tablet usage rose by an astronomical 1,721 percent in the United States. So it’s certainly no surprise that mobile payments are predicted to skyrocket over the next five years. mobilThis shows that the global mobile payment volume in 2015 was 450 billion U.S. dollars, and projects that number to surpass 1 trillion U.S. dollars in 2019.
With the growing interest in and use of mobile devices and payments, users are rightfully concerned with cybersecurity threats. To combat these threats, there has been a surge in using biometric technologies for user authentication.
What are biometric solutions and how can they increase safe authentication?
Biometric solutions measure specific characteristics of a person, including: voice, handwriting, fingerprint(s), face, retina or iris of the eye, gait, vein infrared thermogram, hand geometry and palm print or from a combination of all these identifiers termed multimodal-biometrics -- essentially, "something about you" that is practically impossible to copy, steal or reproduce. Biometric-based authentication provides a robust alternative to using passwords and pins. It validates the identity of a user by measuring unique physiological and behavioral characteristics of an individual. Such a measure maximizes between-person random variations (e.g. someone else putting in your password,) while at the same time minimizes within-person variability. In contrast with passwords and pins, a biometric identifier cannot be lost, forgotten or shared.
Mobile payments and biometric verification
MasterCard has been working to announce its "selfie" pay, which allows users to approve online purchases by taking a picture of themselves (facial recognition) for verification, users can also opt for authenticating their purchase through a fingerprint. The accuracy of facial recognition systems can vary greatly due to factors like lighting, camera angle, sensitivity and more. Likewise, fingerprint readers are affected by temperature, position and other factors.
Yes, it is feasible that biometric authentication can become an actual form of providing credentials (although it should be combined with multi-factor methods). Hardware devices do potentially offer ideal security but often the problem is the need to carry such a device on the person. Hence the move towards making our mobile phones the actual hardware device. One popular hardware approach for authentication is smart cards. Smart card technology provides an excellent medium for storing biometrics. A smart card can provide a strong authentication platform in our pocket. Mobile phones and smart cards can be used for both physical and logical access authentication.
Making Biometrics effective
Fingerprint scanners have been manufactured in masses for mobile phones due to Apple’s Touch ID system, but have of course been integrated on laptops for years, yet are hardly used. The Touch ID system from Apple is quite impressive from a security perspective, however fingerprint scanners are not the be-all, end-all solution for identity theft and cybersecurity prevention as we leave fingerprints on every surface we touch. There have been many examples of Apple's Touch ID being bypassed through the use of scanners, latex and patience.
The most current widespread authentication approach employs solely using passwords. Deployment of proper biometric solutions should significantly reduce identity thefts, with great benefits for the economy by eliminating the use of just passwords from the equation in place of more reliable solutions. The most successful way to use biometrics for security is to incorporate multi-factor authentication which would reduce risk by involving separate types of factors that would require an attacker to use different methods of attack, thus making a breach more difficult.
Multi-factor authentication combines at least two of the following methods to strongly authenticate a user. Therefore a PIN plus a password is not actually multi-factor, since both items are something you know. Full three-factor authentication, when combined with a device ID, allows enterprises to easily combine "what we have" and "what we know" with the all-important "who we are". Thereby integrating a core benefit to future security systems, including;
- Something you know (typically a password/PIN)
- Something you have (a trusted device identifier that is not easily duplicated, e.g. location)
- Something you are (a unique biometric)
Widespread Adoption and Concerns
Trust is particularly important for consumers when it comes to using biometrics for financial institutions and merchant purchases, including identify theft, account blocking inconvenience, etc. We can expect the first true full-scale biometrics deployment will involve mobile payments and other financial organizations.
It’s estimated that online "direct" fraud is costing the global economy around £60bn a year. The associated indirect costs of identity theft and recovery have not been fully quantified but it’s possibly 10 times the actual direct costs. Large e-commerce merchants believe that fraud is inevitable but understand that their prevention efforts will result in more positive customer relationships and ensuring the proper security measures are in place will help that.
In order to make biometric authentication successful, companies need to introduce multi-factor authentication and be sure that users are educated on how and why they are using biometrics.
Kevin Curran is IEEE Senior Member and Faculty of Computing and Engineering, University of Ulster. His achievements include winning and managing UK & European Framework projects and Technology Transfer Schemes. Dr Curran has made significant contributions to advancing the knowledge and understanding of computer networking and systems, evidenced by over 700 published research papers.