Mobile biometric authentication systems such as Apple’s Touch ID and Android’s fingerprint solutions have brought biometrics to the mainstream. They provide convenient access to smartphones and mobile apps, but can a service provider who is leveraging the built-in biometric capabilities really know whose finger has been enrolled? Organizations that trust self-enrolled biometric data could be putting themselves at risk. It’s time to explore alternative trust models that can increase levels of assurance.
May I Borrow Your Phone?
Most mobile biometric solutions will enroll any finger that has control of the device. Apple’s Touch ID, and the Android equivalents, recognize an enrolled fingerprint and then allow that fingerprint to be used in a number of authentication scenarios. For instance, to unlock a smartphone or access banking services via an enabled mobile app. If you know the device’s passcode, you can enroll several fingerprints.
In most situations this isn’t a problem, because we rarely lose control or sight of our beloved smartphones. However, in a family environment, within a shared house, or a student dormitory, we have situations where we may share our phones with family members and friends. This is where this ‘casual’ enrollment process can create problems. It allows for the possibility where there is no binding between the person presenting their finger and the digital identity/credential that the device is asserting for a service. Suddenly, if you know the device’s passcode, you can enroll several fingerprints, from several different people.
What does this mean for service providers and developers wanting to leverage the built-in biometric capability of most high-end smartphones? If you are creating a mobile app that uses Touch ID to authorize access to a service, then you do not really know how many people have enrolled their fingerprints on it. What level of assurance does a financial institution have that it is really the authorized account holder? In reality, it has very little. This is why, in many circumstances, a bank may not allow a customer to perform actions via the mobile app that are considered to be “high risk.”
In this trust model do we really have any greater security than passcodes or PINS? If a family member gives me their ATM PIN code to get cash out for them (they may be old or ill) we’ve broken the trust model, and the issuing bank has little control on who is actually withdrawing cash from an ATM. When this same method is used for mobile biometric authentication solutions, we have similar issues.
We Need to Increase Levels of Assurance
This is a real issue and is causing many service providers to question whether the enrollment process currently seen on many consumer mobile biometric systems is adequate for them. Organizations, in particular financial institutions, are investigating enhanced biometric solutions and processes that improve the trust model to have a greater level of assurance, ensuring that it is an authorized user presenting their biometric on a smartphone.
The National Institute of Standards and Technology’s (NIST) SP 800-63-2 Electronic Authentication Guideline has historically been used to provide a framework for organizations when measuring the levels of assurance in authentication and identity solutions. These guidelines are currently being reviewed by NIST in response to the seismic changes seen in authentication. The question of how to provide identity assurance without slowing down the process of user enrollment and onboarding has been a difficult problem to solve.
You do not really want a process that means that you have to present your passport or driver’s license in a physical office or bank branch every time that you create a new digital identity. Conversely, you need some process that ensures that you are adequately bound to your digital credential.
By addressing enrollment from a user convenience standpoint, we risk creating a security issue, but reversing it makes the process burdensome for everyone involved. This can be addressed by connecting the enrollment process to a back-end server solution through an end-to-end identity framework. This allows for customization of enrollment (ensuring user convenience) while linking it directly to key enterprise databases to confirm identity. Companies will be able to adopt the four levels of assurance outlined by NIST, and eliminate user privacy risks while providing an easy-to-use authentication strategy for their employees.