Biometric Authentication is Coming. But is it Enough?

Gautam Hazari, Technical Director, Personal Data, GSMA

The Internet of Things (IoT) will transform a great many facets of daily life. One casualty of this coming change which tends to go unnoticed, however, will be the traditional username-and-password method of online authentication.  The advent of the IoT will quickly render that present norm outdated.

The coming proliferation of new connection points, and consequent multiplicity of new security checks, will leave that solution cumbersome; there simply will be too many logins for anyone to remember a username and password for each. A natural replacement is already stepping into the breach: biometric authentication, whereby users verify their identity by presenting a part of their own body such as a fingerprint.

Few can now doubt that biometric authentication is set to expand vastly over the next decade. By 2020, for example, the number of biometric smartphones is expected to increase tenfold to two billion.

Market research shows that consumers anticipate the added convenience biometric solutions can offer in transactions, and want to see their adoption. According to a survey conducted by Visa, more than two thirds of Europeans are interested in using biometric authentication while making payments. The evidence also confirms, however, that consumers do not wholly trust the security credentials of biometric authentication, and prefer to see it integrated with other security measures than as a standalone method of verification.

These are not merely cautious instincts over a nascent technology. Reservations over the safety of biometric authentication are well-founded. At a glance the technology may seem foolproof, resting on such unique and complex personal identifiers as an iris.

However, biometric credentials are not secret. Hackers are already devising ways of obtaining and replicating the information from different sources. For example, fingerprints can be obtained in various ways, and unlike usernames and passwords, when that information is stolen it cannot be changed.

Once the security of biometric data is compromised, it stays compromised; it cannot therefore be relied upon on its own. The security of biometric data can be improved by being used in tokenised form but as David Emm, principal security researcher at IT security company Kaspersky puts it, the future of security is in “combining more than one item from something you know, something you have and something you are to verify your identity.”

It is therefore imperative that the sector provide consumers with what they demand: an additional means of authentication to allay security concerns over biometrics, but without the added inconvenience of usernames and passwords.

Mobile Connect does precisely that. By using the possession of the mobile device as the first factor and then allowing users to verify their identity biometrically as a second factor; and they need no longer concern themselves with details to remember – nor the potential for stolen data to compromise their accounts. These technologies should not be seen as competitors for the same market; they are natural and effective collaborators in the security landscape of the near future.