Eye scanners, facial recognition systems and fingerprint readers on mobile devices have been featured in Hollywood’s action-packed spy thrillers and sci-fi movies for years—portraying these devices as hack-proof and the future of security, identity and true authentication.
Now, thanks to companies like Apple, Samsung and NTT DOCOMO (which uses Qualcomm’s Snapdragon Sense ID), biometric authentication in mobile devices is becoming a reality, and the amount of mobile manufacturers installing biometric authentication in devices as a means of security continues to surge in popularity. In fact, in a recent report, the worldwide mobile biometrics market will reach $3.5 billion by 2024, growing from a base of $259 million in 2015.
But, is the technology installed in these devices actually secure and safe for consumers?
Biometrics is the Future of Identity
There’s no doubt that biometric security has significant advantages over all other forms of identification, authentication and verification—hence why so many mobile device manufacturers are jumping on the “biometric bandwagon.” It’s fast and easy to use, and unlike a login or password, which requires memorization and is easily replicable, an individual’s fingerprints, irises, facial constructs and other biological traits should be impossible to duplicate.
But what happens if a person was to lose his or her phone? There’s a chance it could get in the wrong hands, and if there were any flaws with the technology in the device, the attacker could easily access information.
This is certainly an issue for concern, but the root of the problem isn’t simple human error—it’s the lack of sustainable infrastructure that’s installed on these devices. Under the current protocols, the biometric vectors are stored on devices. This sounds pretty straightforward, but how secure are the biometrics? Can they be kept out of the hands of hackers? After all, threats to data are everywhere. Many consumers believe that because their mobile phone is physically in their hands, the data inside is safe. To the contrary, thieves can install malware into a mobile phone without direct contact. Data breaches have been similarly achieved through email, apps and the interception of a Wi-Fi connection.
Think about it: because the future of identity is biometrics, there’s no doubt that the future of identity theft will involve compromising biometrics, and attackers are already working on finding a way around these systems. If a data breach already costs a company billions of dollars and damages its reputation, consider the consequences if—and when—complex biometric data is compromised. The remediation of the problem will be much more difficult—unless people are willing to go under dramatic surgery, they cannot change their fingerprints or faces like they can with compromised passwords or logins.
An additional major security concern for all biometric authentication mobile solutions is the “virtualization threat.” This is when a hacker can take an app that uses biometric authentication and clone it, essentially creating a copy they can then change at will. This allows the attacker to repackage the app and install it on the intended victim’s phone, gaining full access to their accounts once they have authenticated, without the user even knowing.
Standards and Infrastructure Matter
One of the biggest challenges with biometric technology on mobile devices, as it has been for every emerging technology in the past, is to adopt a standards-based protocol for communication and the handling of secure data. It also has to ensure that only authorized users have access to perform functions. Without having proper standardization in place to clearly secure and authenticate someone’s identity in a comprehensive manner, information is left open to attack.
The good news is, for biometrics, the Institute of Electrical and Electronics Engineers (IEEE) has created the Biometric Open Protocol Standard (BOPS) or as it’s called, 2410. With this protocol, the biometric vectors are not stored on the device. Meaning, if your phone is lost or stolen, a person would not have access to your biometrics (like they do with the current protocols). BOPS also provides a stronger level of verification and critical improvement in the overall security infrastructure to minimize risk and prevent unauthorized access and control.
In the coming years, biometrics will be the leading security metric for mobile devices, but a single ultra-hack could derail this progression permanently. Today’s consumers are at the mercy of the device they programmed their biometrics in. It’s up to manufacturers to recognize the importance of protecting biometric data and the need to build a secure, sustainable infrastructure on wireless devices, as this is a vital step for protecting its assets in the future.
Hector Hoyos is the founder and CEO at Hoyos Labs, one of the leading innovative biometrics, authentication and identification technology companies. He’s been in the biometrics and IT fields since the mid-1980s as the founder and president of various cutting-edge companies.