Snippet: A lot of people are excited about the future that biometrics promises. Massive claims are made daily about the technology, especially as it applies to mobile. It’s easy to get caught up in the excitement and see biometrics as a solution to all the problems we currently face. But will deploying fingerprint readers to mobile devices really free us all from digital fraud?

A lot of people are excited about the future that biometrics promises. Massive claims are made daily about the technology, especially as it applies to mobile. It’s easy to get caught up in the excitement and see biometrics as a solution to all the problems we currently face. But will deploying fingerprint readers to mobile devices really free us all from digital fraud?

Not exactly. I really like the convenience of my iPhone’s fingerprint reader and use it every time I open my phone. That said, I’ll only use it as one part of a well-crafted personal security strategy. Here’s why.

These days, an effective digital security strategy must combine three key factors:

  • Something you know: A password, PIN, your mother’s maiden name or favorite color, even a secret handshake
  • Something you have: Your front door key, debit or credit card, mobile phone, or USB token
  • Something you are: Biometric data, like your fingerprint, eye retina scan, or voice

When Tom Cruise wanted to break into CIA headquarters in Mission Impossible, he needed to bypass all three of these factors. They are not all equally effective, but they do complement each other very well. You may not realize that your password has been phished, exposing you to fraud, but you are very likely to notice that your mobile phone has vanished. With all three security factors in place, an attacker would not only have to trick you into providing your password through a phishing attack, but would also have to be physically present to steal your phone. Even then, they will need to act before you realize your phone is gone.

There are a number of issues with biometrics that limit its general use. We leave copies of our biometric information everywhere. Our DNA and fingerprints are left in hotel rooms, on coffee cups, on our iPhone screens. Our pictures litter social media. In most cases, we are quite comfortable submitting this data when asked: when joining a new company; for access control; when we apply for passports and national ID documents; when we travel to new countries; and, of course, when we set up our new iPhone’s fingerprint sensors.

Once high-quality copies of your limited number of biometric data are captured, your digital security comes down to the sophistication of the biometrics reader – whether it is of sufficient quality to spot a fake copy. Late last year, the limitations of biometrics were highlighted when the German defense minister’s fingerprints were copied by using high-definition photographs of her hands.

The hacker responsible for this stunt is the same man who tricked Apple’s fingerprint reader within 24 hours of the release of the iPhone 5S. A short while later, the feature was bypassed by the Computer Chaos Club using everyday household items. If you’re looking for a fun weekend project, why not follow suit and set about tricking your phone’s biometric reader?

Even if biometrics does not present a silver bullet for identity validation in the consumer space, it does bring with it significant convenience, replacing the need to manually input a password. A lot of people are now locking their phones for the first time precisely because of this.

The biometric sweet spot for me is when you use this information as just another factor to your current standard security posture – a third element complementing something you know and something you have. Biometrics used in tandem with other forms of user authentication will help create a more secure digital world. That’s something I get excited about.

[Note:]
Entersekt’s CTO, Christiaan Brand, first wrote about biometrics in October, also recommending a balanced approach.

Subscribe to our blog.


Gerhard Oosthuizen

CTO

Gerhard provides the organizational and operations heft to turn vision into reality. His role at Entersekt represents the CTO function in its purest and most exciting form. Our purpose is, after all, to design and build high-performance, market-leading software and support systems for an international customer base with extremely high expectations.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.