Why mobile two-factor authentication is better than biometrics
Two-factor authentication may not be perfect, but nothing is with security, and it is certainly more secure than any single-form factor method, including biometrics.
Teamed with physical security, integrity management, encryption and authorization, authentication is one of the key elements in any good security strategy.
Traditional authentication methods are based on a single element or factor. For example, I can say "my name is Craig." Yes, my name really is Craig, but how does someone know it's true? Because I say so? Obviously enterprise mobile security can't run on the honor system.
Everyday billions of transactions take place based on a single authentication factor -- typically, a password. Because IT often uses authentication to derive encryption keys and so many users work with mobile devices that are easily lost or stolen, one-factor authentication doesn't really make sense. Instead, mobile two-factor authentication is key.
Biometrics authentication uses biological information for authentication purposes. Fingerprint scanners have been in use for decades, and new smartphones such as the Samsung Galaxy Note7 utilize iris scanners. Because each of these factors is unique to a given individual, biometrics should be the perfect authentication factor.
Obviously enterprise mobile security can't run on the honor system.
Unfortunately, it is not. Despite the likelihood that these features differ on an individual basis, and the fact that they are more difficult to duplicate than other factors used in authentication such as passwords, biometrics is still not enough on its own.
It's possible for someone to fake a fingerprint, because people leave fingerprints everywhere. And facial recognition is great until a user grows a beard, shaves or otherwise changes his appearance. DNA would likely be the ideal biometric marker, but DNA scanners are complicated, expensive and time-consuming.
If biometrics isn't perfect, is anything?
Absolute security does not exist, and it likely never will. But two-factor or multifactor authentication, which requires users to identify themselves with something they have, plus something they know -- a physical device plus information stored in their biological memory, for example -- can improve security immensely.
The something the user has could indeed be biometric, or it could be a hardware token such as a personal handset. If the handset serves as a sufficient form of authentication, biometrics isn't necessary. Biometric data could serve as a third or even fourth factor in high-security situations, but it is certainly not required.
IT shops must remember that biometrics authentication systems alone are inadequate as the sole basis for authentication. In fact, every single-factor authentication mechanism is similarly vulnerable. Ideally, vendors will realize two-factor authentication is the minimum, no matter how sophisticated each factor might be. As a result, it is best not to rely on fingerprint scanners alone. The same goes for the iris scanner in the Galaxy 7.
Even with mobile two-factor authentication, bugs, operational errors and new threats appear with alarming regularity. IT must evaluate each element of any security strategy in terms of its effectiveness and potential vulnerabilities. The time is now to make two-factor authentication a priority.
