everythingpossible - Fotolia


Dangers of biometric authentication for mobile devices

Biometric authentication for mobile devices is touted for simplicity and security, but IT should be wary of particular biometric vulnerabilities and user privacy concerns.

Many experts believe biometric authentication is the most convenient and secure authentication option, but IT professionals must be wary of certain flaws.

The advantages of biometric authentication are intuitive and somewhat obvious:

  • Users don't have to remember passwords.
  • Devices validate the user's identity with a simple gesture, such as placing a finger on a scanner.
  • And it is extremely difficult for hackers to access biometric factors.

Biometric authentication for mobile devices makes it even more difficult for hackers to access these factors, because the biometric data is only stored locally.

Considering these benefits, biometric authentication for mobile devices sounds like an excellent approach for any organization to take, but it may leave an organization and its users susceptible to unique threats.

Mobile biometrics face privacy risks and vulnerabilities

If a password is stolen or compromised, the user can simply change it. But the same user cannot change a compromised fingerprint or iris. Even if users' fingerprints aren't compromised, biometric thievery can take other forms.

Forcing employees to use biometric authentication might raise privacy and legal concerns.

If a malicious actor lifts a clear impression of a user's fingerprints from a glass, a doorknob or even a phone, the hacker would be able to create a prosthetic fingerprint that he or she could then use to spoof the device's sensor. Cybercriminals could possibly piece together a credible facial image that could fool a mobile device, perhaps using photos freely available through social media or other sources. Executives and other users with access to critical financial information and trade secrets may be worthwhile targets for these resource-intensive attacks.

Mobile devices that rely on fingerprint authentication might also be at risk from hacking attempts that use master fingerprints. Researchers have demonstrated that they can generate master fingerprints from numerous sample prints and use those master prints to access different devices.

Spoofing and hacking aren't the only challenges that come with biometric authentication for mobile devices. Biometric technologies rely on immutable physical features that will not change for as long as they're needed. However, injuries, illnesses, weight loss, plastic surgery or other events that change physical characteristics can potentially disrupt the authentication process, making it more difficult for users to access their own devices. Even a paper cut on a user's finger could be enough to deny him or her access to a mobile device.

Legal challenges to biometrics

Both Android and iOS devices go a long way in protecting biometric data, and some experts believe the benefits of mobile biometrics far outweigh the risks. Some users may still be reluctant to trust those devices with their biometric data, which could create a tricky situation for organizations that want to employ biometric authentication for mobile devices.

Forcing employees to use biometric authentication might raise privacy and legal concerns. In fact, there is already litigation around forced biometrics in the enterprise. The focus of current legal concerns is related to other forms of biometrics, such as employee time clocks, but these issues could easily spill over to mobile devices.

The trajectory of enterprise mobility is moving at lightning speed toward a greater reliance on biometrics. And until a better alternative comes along, that's not likely to change anytime soon. Organizations will have to anticipate user pushback and biometric attack vectors to ensure effective mobility management.

Part one of this two-part series discusses the inherent advantages and subtle vulnerabilities that IT must prepare for with biometric authentication on mobile devices.

Dig Deeper on Mobile security

Unified Communications