Do Mobile Biometrics Need More Security?

The following is a guest post submitted to M2SYS.

When it comes to an organization’s information security systems, passwords are possibly the weakest link. This is why many inroads are being made in the field of biometric authentication technologies. Take a look at the rate of website breaches, and you can make the discernment whether or not biometrics and mobile biometrics are necessary. Companies can force users to come up with long and complex passwords. Yet, many will then write these passwords down somewhere simply because they are difficult to remember. In this regard, biometric authentication can be a foolproof approach—especially when using mobile devices that are the increasing method people use for accessing their accounts. Now the question remains, do mobile device biometrics need more security?

How they work

Biometric solutions are used to measure specific characteristics of a person such fingerprints, handwriting, voice, the face, iris of the eye or retina, palm print or hand geometry. According to mobilThis, the global payment volume in 2015 was 450 billion U.S. dollars and is expected to pass 1 trillion U.S. dollars in 2019. As a result, mobile biometrics are on the rise. You may have noticed many credit card and banking companies that allows users to approve online purchases through facial recognition. In addition, users can authenticate purchases by using their fingerprints.

Yet, the accuracy of facial recognition systems can vary based on camera angles, lighting, sensitivity and more. With fingerprint readers, they can be affected by temperature, position and other components. Apple uses the Touch ID system for access. Yet, fingerprint scanning isn’t going to obliterate identity theft since we leave our fingerprints everywhere. In fact, there have been many cases of Apple’s Touch ID being bypassed through scanners and latex. It may be more beneficial to incorporate multi-factor authentication such as voice, fingerprints and maybe a retina scan. This certainly seems a bit much, but how much is it worth to safeguard your identity and accounts? We’re all using apps on our mobile devices. It is imperative to keep all of our information secure.

Concerns over widespread adoption

Sir John Adye headed the government communications agency GCHQ between 1989 and 1996. He currently chairs a company that is developing biometric technology for identity recognition. He is an obvious supporter of biometric technology, but he does have a warning–he wants to know what happens to people’s data when they use it on a mobile device. He said, “If you go to an ATM and put in your credit or debit card, that system is supervised by the bank in some way. But when you’re using your smartphone… there’s no physical supervision of the system. You need to design security methods… which are going to be strong to protect the interests of the individual who is using the phone and the relying party at the other end… the bank or whoever it is, who is providing a service to them.”

Sir John focused on the Apple iPhone 6 by saying, “You can now use your iPhone 6 to make payments using biometrics on the internet and you’ve got to tick various boxes before you do so, but how many people are actually going read through all those boxes properly and understand what they mean when it goes in?” He questions how long Apple’s biometrics system will be effective by asking, “But how long will that last, because the criminals… are very inventive at finding ways in, and although you can protect it in that way on the device itself, what happens if the device is lost or stolen?” In addition, biometrics engineer Ben Fairhead asked “If for example, you haven’t got much blood flow to your fingers, maybe the system doesn’t think your finger is alive.” Some food for thought when it comes to mobile biometrics.

Japan wants to base everything on fingerprints

Japan has always been an innovator and disrupter in the field of technology. By 2020, the Japanese government wants to have systems in place to let tourists pay for goods and services using a fingerprint. Furthermore, testing is set to begin this summer–before entering the country, tourists will register their fingerprints, passport and credit card information. Currently, there are at least 300 shops and hotels participating–it is expected that more will join as the system expands. In addition, an organization will collect data to see how and where tourists spend their money. The data collection will be used to manage the country’s tourism industry.

The Japanese government argues that a biometric system makes traveling and shopping more convenient and secure over using cash or credit cards. Yet security writer Bruce Schneier begs to differ. He said, “Biometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. Regularly, hackers have copied the prints of officials from objects they’ve touched, and posted them on the Internet.” The other problem with biometrics is, according to Schneier, “Passwords can be changed, but if someone copies your thumbprint, you’re out of luck. You can’t update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you’re stuck.” You can cancel a stolen credit card, you can’t cancel a stolen fingerprint. What’s next? Finger gloves to protect us from leaving our prints everywhere? Fingerprint swiping cloths?

How to make mobile device biometrics more secure

Since we now see that fingerprint biometrics aren’t the most secure authentication system, it begs the question as to what will work to significantly curb cyber crime. It turns out that multi-factor authentication is a much better option. What would happen if the Japanese government’s fingerprint database was hacked? That would be a mess in and of itself.

Perhaps the answer is a fingerprint and a second level of security, such as a password. Then, you can use a fingerprint and maybe even some type of DNA recognition or voice recognition. Cyber criminals will work continuously to figure out the system. The key is to stay ahead. What types of mobile device biometrics do you think are needed to halt identity theft?

This guest post was submitted by Katrina Manning. You can contact her on Twitter @Kcinnaroll.