Snippet: Announcements by Samsung and Apple that they are offering developer access to fingerprint biometrics as a form of identification and authentication have received a lot of media attention. Using your fingerprint or voice as a means of identification is a pretty cool idea.

Announcements by Samsung and Apple that they are offering developer access to fingerprint biometrics as a form of identification and authentication have received a lot of media attention. Using your fingerprint or voice as a means of identification is a pretty cool idea. You always have these personal attributes with you and the technology conveniently eliminates a number of keystrokes, which is particularly welcome on the mobile. There’s little wonder its popularity is spreading fast.

Entersekt has been following these developments and debating their relevance to secure, out-of-band authentication and our product line, believing that careful examination of the technology’s strengths and weaknesses is necessary before jumping on the bandwagon.

Typical implementations

Let’s look at the approach industry leaders Samsung and Apple are taking. Here is how typical implementations of phone-based biometrics work:

  • The dominant model, and the only one endorsed by the FIDO Alliance, requires users to self-enroll biometric information, like a fingerprint, using their mobile device. Crucially, this data never leaves the phone. (This model is generally referred to as private biometrics. It addresses many of the privacy concerns and security risks that arise from the central storage of bulk biometric data by enterprises and governments.)
  • Since biometric data is not shared, its use is confined to user-to-device authentication – in other words, to proving that the user who input their biometric data on the device is currently operating it.
  • A big advantage to biometrics in user-to-device authentication is that it improves the user experience by reducing manual input of information, such as user names and passwords. This will be particularly welcome to mobile users.

Some limitations

Biometrics has a number of shortcomings – none of which necessarily invalidate it as a digital security tool. It is fair to point out, however, that biometrics can place enterprises and users at risk if improperly deployed as the sole means of user identification and transaction authentication. 

These are some of the issues with today’s biometric technology:

  • The fact that biometric data is not shared by the mobile device means the identity of the user cannot be guaranteed. Unable to access and match the data to its own records, the enterprise cannot definitively know that the user is the legitimate party in any communication. All it can determine is that an individual who registered their fingerprint on a particular device has just scanned it successfully. 
  • Fingerprints and iris scans can be captured without much difficulty and replicated by fraudsters, as both Samsung and Apple have already experienced. 
  • Once compromised, biometric data cannot be changed or reset (while, of course, passwords and digital certificates can be). There are a very limited number of human biometric factors (voice, iris, fingerprint) to which providers can then fall back.

The bottom line

Entersekt has recently added support for fingerprint biometrics on both the Samsung and iPhone devices to our out-of-band authentication solution, but we believe that it should be only implemented as one part of a layered security system.

Deployed in conjunction with strong security – PKI, mutual digital certificates and encrypted messaging – fingerprints and other biometrics can be a significant additional tool in our efforts to deter account takeover activity with user-friendly, out-of-band authentication. With this goal in mind, Entersekt supports biometrics to:

  • Replace user ID/password
  • Act as an additional data point (like PKI, GPS, etc.) in out-of-band authentication 

To guarantee that both the user and enterprise are legitimate and that their communications are those that they intended, the device itself must be uniquely identified with a digital certificate, just as the enterprise is. In this way, the mobile device acts as a trusted second factor of authentication.

Subscribe to our blog.


Christiaan Brand

FORMER CTO

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.