Employees are increasingly asking about smartphone biometrics. What are the risks posed by mobile biometrics?
Ask the Expert
Got a vexing problem for Michele Chubirka or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Biometrics authentication, aka "something you are," while often seen in movies or TV, still hasn't gained much traction for mainstream security deployments. Sure, you might see iris scanners in secure government installations and data centers, but outside of that, biometrics has been more of a novelty -- a feature included on a laptop that generally never got used. However, biometrics has seen renewed interest with the recent release of the iPhone 5s and iOS 7, in which Apple introduced an integrated fingerprint reader called Touch ID.
Sounds great, right? Why not use smartphone biometrics to authenticate an individual based upon a physical characteristic, something that is guaranteed to be unique to that person? However, even with improvements to biometric technologies, barriers to implementation remain.
One main hurdle has been reliability. Even manual fingerprint analysis has been criticized for containing a level of subjectivity when methods are inappropriately applied. False acceptance rates (FAR) and false rejection rates (FRR) can be high with mass-market biometric fingerprint devices, often due to dirt, oil buildup or scratching on the reader. Then there's the ability to spoof mass-market devices, with photocopied fingerprints or even gummy bears. There are already reports surfacing of unreliability using Touch ID to unlock the iPhone. This could be due to the small size of the sensor, user error or its location on the phone’s home button, potentially making it prone to damage.
Besides the inconvenience to the user due to FRRs and potential breaches to security caused by FARs, Dave Aitel, CEO of security assessment vendor Immunity Inc., believes the greatest barrier to biometrics is the issue of permanent compromise. If your fingerprint becomes "pwned" by an attacker, then it can no longer be trusted, and it's much easier to replace an RSA token than a finger. While it's tempting to use convenient mass-marketed biometric devices like the iPhone's Touch ID, it's probably safer and kinder to your help desk to focus on more dependable devices using a One-Time Password (OTP).
Related Q&A from Michele Chubirka, Enterprise IAM
How Aorato's Directory Services Application Firewall protects Active Directory, and why it's useful for enterprises.continue reading
The definition of identity governance has evolved to include a tool that could prove challenging for enterprises to implement.continue reading
After a failed SSO implementation, is there any benefit to an enterprise trying again? Expert Michele Chubirka discusses.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.