Mobile Biometrics: The Next Phase of Enterprise Authentication?

Smartphones and tablets have the potential to become powerful platforms for enterprise authentication. By combining biometric capabilities such as a fingerprint reader or voice recognition software with mobile devices that users carry with them all the time, enterprises may be able to roll out two-factor authentication as part of an identity and access management (IAM) infrastructure.

While mobile biometrics are still a work in progress, there are multiple potential uses within the enterprise, including granting access to locked-down "containers" of enterprise data or applications stored on the device, requiring on-device biometric scans to authenticate the user to the enterprise network and applications, and possibly even granting physical access to buildings and rooms.

These are intriguing use cases, but significant work still has to be done to make them a reality. Given the current capabilities of most mobile device hardware today, touch-based biometric inputs like fingerprint recognition will require new hardware to offer enterprise-class fingerprint recognition, says Troy Potter, VP of identity solutions for Unisys.

At the moment, there are very few phones out on the market today that actually have onboard biometrics hardware built into the device. They do exist, however--the Motorola ATRIX includes a fingerprint recognition feature that unlocks the phone for an authorized user.

But existing hardware such as the microphone and the camera could be used by special software that taps into these capabilities.

"There are so many potential inputs--capacitive screens, microphones, cameras, accelerometers, you name it," says Beau Woods, founder of Stratigos Security, a security consultancy based in Atlanta. "And [these devices] have enough processing power to do more advanced pattern matching, too."

Unisys's Potter agrees. "I think where it's actually good is in facial recognition or voice recognition," he says, "where it's already built into the phone itself as far as being able to take high res photos or record audio."

Tying that hardware capability into a meaningful scanning system that can recognize facial or voice characteristics and use it to authenticate may well be within the mien of existing devices. This fall a San Jose, Calif.-based company called EyeVerify introduced an "eyeprint" product meant to verify user identities tagged to unique eye vein patterns. The software product takes advantage of existing camera inputs on mobile devices to perform the scan.

There are also indications that major players may be getting in on the act. This summer, Apple spent $356 million to acquire biometrics hardware manufacturer AuthenTec, a purchase that some pundits speculated was for potential addition of AuthenTec fingerprint readers to iPhones and iPads. Just prior to the acquisition, AuthenTec inked a deal with Samsung to build fingerprint readers into an upcoming generation of its Android smartphones. It's still unclear what the acquisition means for this deal, but it's evident from AuthenTec's activities that built-in biometrics hardware may be on the not-so-distant horizon.

But simply introducing nifty biometrics mechanisms on mobile devices is only one part of the equation. Software and business processes also need to be in place for security assurance to be eligible for wide-scale enterprise adoption. Some security pros remain wary.

"Biometrics on mobile devices will be a non-starter due to the mismatch between the cost and capabilities of consumer-grade hardware for biometrics and the needs for security and reliability for enterprises," says Phil Lieberman, president of Lieberman Software. "The management of biometric data is a nightmare due to lack of standardization as well as the secure storage and secure retrieval/verification in a mobile setting."

But Darren Platt, CTO of Symplified, an identity management provider, says that it all depends on the use case and the specific asset being accessed by a device.

"There are certain scenarios that require a high degree of assurance and will therefore never be able to leverage BYOD because of concerns about the integrity of unmanaged client devices," he says. "There are, however, many other scenarios that will." The real key will be in how well consumer device providers enable federated authentication protocols like SAML or OAuth.

"Done right, this will allow carriers to provide authentication to apps and services provided by third parties," he says.

Next page:Use CasesShould these kinks be ironed out, it's up to enterprises to figure out how to use these built-in capabilities within their IT infrastructure. The use cases are there, says Shivesh Vishwanathan, senior mobility solutions architect at Persistent Systems, a mobile ad-hoc networking company that works in the government space. The most obvious use of built-in biometrics capability would be to require the user to unlock the screen and also to access sensitive data contained within the device, and within network resources accessed by the device.

"Users play different roles in different settings, and we can expect to see that users will want their mobile devices to represent their different identities in a cleanly separated manner," says Vishwanathan. "Biometrics will become a key way to validate these identities."

For example, he says, in a BYOD situation, companies may have their enterprise environment and data segregated on a personal device through separate on-device container that can only be accessed through something like a fingerprint swipe.

But the potential for mobile biometrics in the enterprise reaches beyond providing a way to authenticate on-device security. It could end up being a tool that addresses the pesky issue of insecure passwords safeguarding extremely sensitive transactions or network resources. While organizations can use tokens such as RSA's SecurID to provide a second factor for authentication, tokens are sometimes criticized for their inconvenience. If a user is already carrying a phone or tablet, it makes sense to leverage that device.

Once phones come equipped with biometrics capabilities, the additional assurance comes from the user's unique body properties. Even if the crook stole the device and the password, they wouldn't be able to provide the user's fingerprint or retina pattern to log in to a mobile app or network resource.

Mobile biometrics could potentially even be blended into a federated identity scheme that would control physical access to buildings, says Justin Strong, senior global product marketing manager for Novell.

"On a mobile device, this could probably extend well past simply authenticating access to one's email or other information on the device itself, and evolve into a commonly accepted method for authenticating access to other things as well," says Strong. "Imagine using your smartphone to authenticate who you are, then open the door to your office."

Biometrics has long been hailed as a promising mode of second-factor of authentication in addition to username and password. But its adoption has largely been held back by the cost of biometric hardware. If that hardware comes integrated with popular mobile devices, biometric authentication may become commonplace.