oporkka - Fotolia


In your face: Mobile device authentication leans on biometrics

Facial recognition, fingerprint sensors and other advanced mobile device authentication technologies are the future of smartphone, tablet and Internet of Things security.

Mobile authentication is perhaps the simplest and most meaningful way to reduce the risks posed by lost or stolen devices.

After all, it's easy to guess a PIN and foil even the best encryption. And yet, surveys repeatedly show an alarming rate of weak mobile device authentication.

Smartphones have supported numeric PINs for more than a decade, but users have been slow to adopt them. More than 20% of iPhone users still consider PINs unusable, according to a 2015 research study on the effects of Apple's Touch ID fingerprint-based authentication technology. And 30% of companies do not require their employees to use at least alphanumeric passcodes -- that is, strings of both letters and numbers -- on their mobile devices, according to a study by Champion Solutions Group.

PINs and alphanumeric passcodes are trivial to activate, but they're also relatively weak -- in part because of the ways in which they tend to be used. Users may share and reuse PINs and passcodes across multiple devices, increasing risk. And, although alphanumeric passcodes are harder to crack, too many users make easily guessed choices, such as "123456" or "password." In fact, a 2011 study found that one in seven iPhones can be unlocked by just trying the top 10 PINs.

For these reasons, mobile authentication best practices include setting and enforcing passcode use, length and complexity requirements, along with a maximum number of retries before an automatic device wipe takes place. These policies make passcodes harder to guess and prevent repeated guessing.

Manufacturers also support efforts to improve mobile device authentication. For example, iOS 9 now defaults to a six-digit passcode instead of four -- raising the number of possible combinations from 10,000 to 1 million. An attacker may still be able to use brute force to identify a passcode and use it to access a locked device -- a process that can take just hours. But upgrading from a four- to six-digit passcode increases the maximum passcode cracking time from roughly four days to more than 400.

Biometrics and multifactor mobile authentication

An increasingly popular alternative to PINs and passcodes is biometric authentication.

Contextual information, such as the user's location, increasingly factors into authentication decisions.

Several years ago, Android blazed a trail towards integrated biometrics with Face Unlock, which uses a mobile device's camera and facial recognition technology to scan and authenticate users. Early versions of Face Unlock were error prone and too easily fooled -- a picture of the authorized user could be enough to unlock the phone -- and although the feature has improved, adoption continues to lag.

Apple has had more success with Touch ID, which it introduced on the iPhone 5s. In iOS 9, Touch ID unlocks not just devices but also individual apps. The latest version of Android now supports app-level fingerprint authentication as well.

Touch ID also requires users to enter their passcodes each time they power on their iOS devices. In other words, Touch ID is a form of multifactor authentication, which combines something you know -- a passcode -- with something you are -- a fingerprint.

One pixel UK Trade & Industry mobile biometrics

This approach makes Touch ID more secure than it would be on its own, but users can always skip fingerprint authentication and enter their passcodes instead. As such, Touch ID is ultimately no more secure than the passcode, and it is still very important for Touch ID users to choose a good passcode. Touch ID just makes the idea of setting a long, complex passcode more palatable, since users don't have to enter it as frequently.

By combining either passcodes (something you know) or biometrics (something you are) with mobile devices themselves (something you have), devices and applications can require true multifactor authentication.

In these cases, someone who steals your phone cannot successfully authenticate without your passcode or fingerprint. Someone who knows your passcode or takes a photo of your face cannot successfully authenticate without your phone. Multifactor authentication options overcome the problems of credential sharing and better resist brute-force attacks.

This phone-as-a-token approach is just one form of multifactor authentication. Other methods include PINs sent via text message to phones, or one-time password generator apps running on mobile devices. These authentication methods are poised for significant growth and will eat into the market for dedicated hardware tokens, according to Gartner.

Looking ahead

Mobile device authentication will continue to evolve. Wearables are just starting to emerge as hardware tokens that can unlock smartphones in close proximity. Contextual information, such as the user's location, increasingly factors into authentication decisions as well. And industry efforts such as the Fast IDentity Online Alliance promote adoption of universal authentication frameworks.

Mobile authentication is moving beyond unlocking devices. It is fast becoming a foundation for unlocking the mobile enterprise and the Internet of Things.

Next Steps

Here's why authenticating mobile users is more important than ever.

What do businesses need to know about the Fast IDentity Online Alliance authentication framework?

Cloud-based identity management can solve your problems with user authentication.

Dig Deeper on Enterprise mobile security