oporkka - Fotolia

Get started Bring yourself up to speed with our introductory content.

In your face: Mobile device authentication leans on biometrics

Facial recognition, fingerprint sensors and other advanced mobile device authentication technologies are the future of smartphone, tablet and Internet of Things security.

Mobile authentication is perhaps the simplest and most meaningful way to reduce the risks posed by lost or stolen devices.

After all, it's easy to guess a PIN and foil even the best encryption. And yet, surveys repeatedly show an alarming rate of weak mobile device authentication.

Smartphones have supported numeric PINs for more than a decade, but users have been slow to adopt them. More than 20% of iPhone users still consider PINs unusable, according to a 2015 research study on the effects of Apple's Touch ID fingerprint-based authentication technology. And 30% of companies do not require their employees to use at least alphanumeric passcodes -- that is, strings of both letters and numbers -- on their mobile devices, according to a study by Champion Solutions Group.

PINs and alphanumeric passcodes are trivial to activate, but they're also relatively weak -- in part because of the ways in which they tend to be used. Users may share and reuse PINs and passcodes across multiple devices, increasing risk. And, although alphanumeric passcodes are harder to crack, too many users make easily guessed choices, such as "123456" or "password." In fact, a 2011 study found that one in seven iPhones can be unlocked by just trying the top 10 PINs.

For these reasons, mobile authentication best practices include setting and enforcing passcode use, length and complexity requirements, along with a maximum number of retries before an automatic device wipe takes place. These policies make passcodes harder to guess and prevent repeated guessing.

Manufacturers also support efforts to improve mobile device authentication. For example, iOS 9 now defaults to a six-digit passcode instead of four -- raising the number of possible combinations from 10,000 to 1 million. An attacker may still be able to use brute force to identify a passcode and use it to access a locked device -- a process that can take just hours. But upgrading from a four- to six-digit passcode increases the maximum passcode cracking time from roughly four days to more than 400.

Biometrics and multifactor mobile authentication

An increasingly popular alternative to PINs and passcodes is biometric authentication.

Contextual information, such as the user's location, increasingly factors into authentication decisions.

Several years ago, Android blazed a trail towards integrated biometrics with Face Unlock, which uses a mobile device's camera and facial recognition technology to scan and authenticate users. Early versions of Face Unlock were error prone and too easily fooled -- a picture of the authorized user could be enough to unlock the phone -- and although the feature has improved, adoption continues to lag.

Apple has had more success with Touch ID, which it introduced on the iPhone 5s. In iOS 9, Touch ID unlocks not just devices but also individual apps. The latest version of Android now supports app-level fingerprint authentication as well.

Touch ID also requires users to enter their passcodes each time they power on their iOS devices. In other words, Touch ID is a form of multifactor authentication, which combines something you know -- a passcode -- with something you are -- a fingerprint.

One pixel UK Trade & Industry mobile biometrics

This approach makes Touch ID more secure than it would be on its own, but users can always skip fingerprint authentication and enter their passcodes instead. As such, Touch ID is ultimately no more secure than the passcode, and it is still very important for Touch ID users to choose a good passcode. Touch ID just makes the idea of setting a long, complex passcode more palatable, since users don't have to enter it as frequently.

By combining either passcodes (something you know) or biometrics (something you are) with mobile devices themselves (something you have), devices and applications can require true multifactor authentication.

In these cases, someone who steals your phone cannot successfully authenticate without your passcode or fingerprint. Someone who knows your passcode or takes a photo of your face cannot successfully authenticate without your phone. Multifactor authentication options overcome the problems of credential sharing and better resist brute-force attacks.

This phone-as-a-token approach is just one form of multifactor authentication. Other methods include PINs sent via text message to phones, or one-time password generator apps running on mobile devices. These authentication methods are poised for significant growth and will eat into the market for dedicated hardware tokens, according to Gartner.

Looking ahead

Mobile device authentication will continue to evolve. Wearables are just starting to emerge as hardware tokens that can unlock smartphones in close proximity. Contextual information, such as the user's location, increasingly factors into authentication decisions as well. And industry efforts such as the Fast IDentity Online Alliance promote adoption of universal authentication frameworks.

Mobile authentication is moving beyond unlocking devices. It is fast becoming a foundation for unlocking the mobile enterprise and the Internet of Things.

Next Steps

Here's why authenticating mobile users is more important than ever.

What do businesses need to know about the Fast IDentity Online Alliance authentication framework?

Cloud-based identity management can solve your problems with user authentication.

Dig Deeper on Enterprise mobile security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Which mobile device authentication methods does your company use?

Leaning on biometrics for pleasing criminals?

Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at


The choice of which biometric to use is very important. Privacy laws in states like IL and TX demand that biometric identifiers (physical biometrics by definition) require advance written release from subjects and written acknowledgement from vendors on time of use and purpose. These laws are testing the process via class action lawsuits against some very large companies who use faceprints as a way of identifying subjects. Physical biometrics like your fingerprint, iris, face, palm, are irreplaceable. If they’re stolen, there’s no new set of hands, new voice or face that you can use. This makes them very risky. Once hacked gone forever. What value do you place on your body parts? Institutions run a huge liability risk. The answer is use behavioral based biometrics that are just as distinguishing and accurate, but non-invasive - Gesture biometrics requires no personal body info that violates your privacy. If hacked your password is easily revoked and replaced.
A combination of passwords can work better than using biometrics. What if something happens to the person who owns the phone but data is needed by the family? May not always be possible to use the "what you are" to unlock a phone. Another thought is by using this extra security, how quick can the user access the phone say to make an emergency phone call? All the authentication is not fast and can cause fuhrer problems. I am not sure the biometrics are all that solid to use and were thoroughly tested with different conditionslike going through authentication and the battery dies.
Passwords, passwords, passwords. They work best, they simply do. The problem is the lack of adoption by the device user which stems from a desire to focus on achieving goals with the technology in hand rather than security issues related to the tech. Passwords are often perceived as counterproductive and frustrating to remember but are much easier to use than multi-factor authentication and more secure than PINs and some forms of bio-metric authentication.

Just for fun, try a test at howsecureismypassword.net (use https)

Compare your password to this one:


No upper/lower case, no funny characters, just text. How many years will it take to brute force crack the above compared to you password...assuming your is complex like "P@ssw0rd!"