Passwords: everyone hates them, but they have become a necessary evil in our digital life. In the end, it’s all about protecting access to data and devices. Mobility presents opportunities and challenges for authentication. One of the biggest opportunities for better authentication on mobile devices is biometrics. Biometric authentication includes fingerprints, iris, voice, etc. and has long been seen as a replacement for passwords.
For years, security experts have lamented passwords and their follies: easy to crack, hard to remember, and a pain to manage. These weaknesses are only perpetuated on mobile devices where smaller touch keyboards can create user rage when trying to type in that long, complex password, just to access the device or the app. Here at LANDESK, we rolled out our recently acquire LetMobile Secure Mobile Gateway internally for secure PIM and one of the most common feedback responses we heard from the employee base was the challenge around authenticating when accessing email. I’ll discuss later how we made this easier through biometrics, but let’s explore various methods for authentication and where biometrics fit in.
There are various options for mobile authentication and all have their benefits and challenges. Authentication methods built into mobile operating systems include:
- Other biometrics
A PIN or short numeric code is one of the most common forms of authentication on mobile devices.
- Pros – easy to remember and enter
- Cons – easy to crack due to short length and complexity. Also, it is easy to physically guess due to fingerprint smudges. A nice tip here is to repeat a digit (see What’s the Best Way to Prevent Touch Screen Smudge Attacks? for more information).
You know them from your Active Directory account and you hate them due to complexity and length.
- Pros – difficult to crack when the password is long and complex even when trying a smudge attack.
- Cons – hard to remember and painful to enter on mobile touchscreen keyboards where alpha, numeric, and characters tend to be separate keyboard screens.
This is most commonly used on Android where one swipes a pattern across a grid of dots.
- Pros – easy to remember and enter
- Cons – patterns are more difficult to guess via a smudge attack, but still possible. There are also technical methods to attack the Android pattern (see How to Crack Android Pattern lock of any Android device for details)
The most common use of this is the iPhone’s Touch ID, which has been available since the iPhone 5s. Usage has accelerated with it being available for device login, App Store authentication, third party extension via iOS 8, and now Apple Pay.
- Pros – allows you to have a very long, complex passcode and overlay it by authenticating with one or more fingers.
Cons – get your fingers wet or dirty and Touch ID often doesn’t work. No authentication method is foolproof and fingerprint authentication can be physically spoofed, but it isn’t easy (see Why I hacked TouchID (again) and still think it’s awesome for an example).
There are various other biometric methods for authentication, some which are available as add-ons. Voice is one example where the software identifies a person by their distinct vocal characteristics. Visual authentication is another method that includes iris or facial recognition.
- Pros – biometrics in general are considered a more difficult method to crack as the identifiers are unique to a person.
- Cons – like a dirty finger, false negatives could occur with other biometrics. Finally, biometrics can still be spoofed whether it is fingerprint lifting, cutting off a finger, recording a person’s voice, or removing an eyeball (see Minority Report for the best example here).
As I mentioned earlier, one of the top requests we’ve had for the LetMobile Secure Mobile Gateway was Touch ID authentication, and we recently launched our 2.6.5 version with Touch ID support. I’m pleased to say that the feedback has been overwhelmingly positive. This is just one example where mobile biometrics is a great way to solve both a business security and end user experience problem. I expect biometrics on mobile devices to be more common as they can solve this challenge between security and user experience.