How can biometric authentication improve mobile security?

Traditional mobile authentication

The most common mobile authentication method is the standard passcode, in which users enter specific letters, numbers or symbols to access their devices. This approach is extremely simple to use -- as long as users don't forget their passcodes -- but it only provides minimal protection. Users might write them down or use the same passcode for multiple devices or personal logins. Passcodes are easy for potential hackers to crack, and they're susceptible to shoulder surfing -- someone determining the passcode by simply looking over the user's shoulder.

Another common mobile authentication method is the action pattern. With this approach, users recreate certain patterns by dragging their fingers across the screen. The action pattern is more cumbersome for users than passcodes; this is especially true as the patterns become more complex. Action patterns are slightly more secure than passcodes, but the overall security of this method depends on the pattern's complexity. Action patterns can also fall victim to shoulder surfing, and users may leave marks on the screens from repeatedly entering the same pattern.

Today's biometric authentication systems include checks to verify that the biometric factors aren't coming from video or audio recordings as well.

A more secure mobile authentication option is the security key, a small token that mobile devices can read with a Bluetooth or near-field communication scan. Security keys can log users on to their devices and applications without requiring any passcode or action pattern inputs from the users. The security key uses public and private credentials that hackers can't reuse and users can't share. End users must have their security keys with them whenever they access their devices, however. Users can lose or temporarily misplace the keys, which leaves open the possibility of a hacker stealing a key and accessing a device freely.

Enter: biometric authentication factors

Biometric authentication relies on unique biological characteristics, such as a fingerprint, an iris, a face or even a heartbeat. These characteristics are much more difficult for hackers and criminals to exploit because they're unique to each individual. Today's biometric authentication systems include checks to verify that the biometric factors aren't coming from video or audio recordings as well.

With biometric authentication for mobile devices, users don't have to remember passcodes or action patterns, and they don't have to carry around security keys. They can authenticate to their devices at any time in any place with little effort or thought.

Like any other mobile authentication method, biometric authentication also has its risks, such as potential false positives or compromised digital image files. Once a hacker steals a biometric image, that biometric factor is compromised forever; users cannot change their fingerprints or faces if those images are stolen. Fortunately, Apple iOS and Google Android devices have built-in mechanisms to protect biometric data, but that doesn't guarantee the devices will remain impenetrable forever.

Is biometric alone enough?

All authentication mechanisms carry risks. Biometric scanners and security keys might provide better protection than passcodes or action patterns, but no approach is perfect.

For this reason, IT should implement multifactor authentication (MFA) for all users who access corporate resources through their mobile devices. MFA requires users to carry out two or more authentication methods when they access resources, such as using biometrics along with a one-time passcode delivered via a text message.

Some MFA approaches are clunky for mobile users, but if IT includes a biometric authentication factor, it should provide at least one authentication factor that is quick and easy. A multifactor approach to authentication can significantly decrease the risks of a hacker gaining access to corporate resources, while providing much tighter controls than any one approach alone.