Securing mobile devices and mobile applications is a nuisance. Security best practices dictate having authentication methods to log in and open the device, and that users should log off every app after each use. Best practices, however, are inconvenient, especially trying to remember unique passwords for dozens of applications. Biometrics are a better option, but still can be bothersome; the technology is just catching up to accurate facial recognition for users wearing a face mask.
The solution to better security for devices and applications may still be found in biometrics, but it must be in contextual and behavioral biometrics.
Contextual and behavioral biometrics take into consideration other environmental and context signals, explained John Whaley, founder and CEO of UnifyID. They might use additional sensor readings, such as motion sensors from a smartphone, to uniquely identify and authenticate a person based on their unique behaviors — the way they move and walk, for instance. Or, the solutions could focus on user habits, knowing where and when users tend to connect.
Why Passwords Have Become a Poor Application Security Option
It’s going to be a long time before passwords completely disappear; they’ve become an integral part of our online culture. But it is time to admit that they’ve become antiquated as an authentication option.
“The whole notion of the password is this: I have a secret, and I tell you that secret to prove it is me,” said Whaley during an email interview. “This does not scale to dozens or hundreds of services.”
The problems with password security and behaviors have been well noted over the years – password reuse, ease of theft, etc. – but Whaley pointed out they are an especially poor option for application security.
“Even if you do everything perfectly, a service you use may get hacked and their password database exposed, unbeknownst to you,” he said. “The problem is even worse on mobile platforms, where, with the small keyboard, it is difficult to type in a strong password, and more challenging to use copy-paste with tools like password managers.”
“Traditional” Biometrics Are Better, But Still Problematic
For most users, biometrics usually mean a fingerprint or facial recognition; maybe even voice recognition or retinal scans. These biometrics work very well, as long as the surrounding environment is consistent. Fingerprint recognition won’t work with wet fingers or with gloved hands, for example.
“We have seen particular challenges to these types of biometrics in the last 12 months,” said Whaley. “In a world where everyone is using masks and gloves, traditional biometrics do not work as well anymore. It is very hard to recognize a face when someone is wearing a hat or glasses, and even harder when wearing a mask.”
Privacy is also an issue. Both face and fingerprint are static biometrics that do not change and are hard to keep private, especially your face. So perhaps, rather than thinking of traditional biometrics as a substitution for passwords, think of them as your username.
Benefits of Contextual Biometrics for Application Security
COVID-19 accelerated digital transformation, which included a greater reliance on applications that allow contact-free transactions. This also puts a greater emphasis on the need for security for these applications, because even more personal data will be stored in them. And contact-free transactions will require users to unlock apps in situations where using a fingerprint or typing in a password is difficult. For example, when travel resumes, expect more hotels, rental car agencies and other services to rely on corporate apps for everything from registration to electronic keys. Contextual biometrics, using motion sensors to match the gait of your walk, for example, will unlock a phone and an app to unlock your hotel room door, all without having to juggle your luggage.
Contextual and behavioral biometrics also are more difficult to copy. Smart cybercriminals can use photographs to hack facial recognition. It is much harder to mimic the way someone walks or follow the same schedule and regular behaviors.
For organizations, the switch to contextual biometrics is relatively simple. Users don’t have to learn anything new or do anything to change their behavior. The biometric application uses each person’s individual traits to create a unique authentication.
“Because it is passive,” said Whaley, “behavioral biometrics are commonly used as a silent additional factor in a two-factor authentication (2FA) or multi-factor authentication (MFA) workflow. They are also used to streamline user experience as the first factor in the workflow. If there are any doubts about the authenticity of a user from the first factor, then the workflow can fall back to other, more traditional factors.”
Mobile applications need strong security, and the methods that we’ve been using have far too many flaws. Is contextual biometrics the perfect solution? Probably not, but it is getting us closer to a greater sense of security with mobile apps, especially as we move into a contact-free dynamic.