KuppingerCole Report
Advisory Note
By John Tolbert

Mobile Biometrics for Authentication and Authorization

Many new biometric technologies and products have emerged in the last few years. Biometrics have improved considerably, and are now increasingly integrated into smartphones. Mobile biometric solutions offer not only multi-factor and strong authentication possibilities, but also transactional authorization. However, there are a number of challenges with biometric authentication you must be aware of.

1 Executive Summary

Enterprises of all sizes and types experience cyber-attacks daily. Financial information, PII, patient health information, government data, and intel ...

Login Free 30-day Select Access Get full Access

2 Highlights

  • Biometric technologies are improving
  • Smartphones have basic biometric capabilities built-in
  • A myriad of 3rd party biometric authenticators are ...
Login Free 30-day Select Access Get full Access

3 Introduction to biometrics

Biometrics is the process of measuring and analyzing physical and behavioral characteristics of a human subject. For practical applications in securi ...

Login Free 30-day Select Access Get full Access

3.1 Overview

Password-based authentication is widely accepted as a weak form of assurance. Over the years, technologists have developed many different alternative ...

Login Free 30-day Select Access Get full Access

3.2 Fingerprint

Fingerprint readers are standard on newer smartphones. There are 4 main methods for fingerprint analysis: optical, CMOS, ultrasound, and thermal; an ...

Login Free 30-day Select Access Get full Access

3.3 Facial recognition

Facial recognition technology relies on optical imaging for comparing the spatial geometry of subjects’ faces. Accuracy tends to improve with high ...

Login Free 30-day Select Access Get full Access

3.4 Iris recognition

Operationally, iris recognition is similar to facial recognition, in that both methods involve taking a photograph of the subject’s face. With iris ...

Login Free 30-day Select Access Get full Access

3.5 Voice recognition

Voice recognition combines physical and behavioral measurements. The physical aspect is the construction of the individual’s larynx and vocal cords ...

Figure 1: Voiceprint image, from Shinoda Lab., Department of Computer Science, School of Computing, Tokyo Institute of Technology

The suitability for voice recognition is affected by several factors: voices change with age, sickness, tiredness, and stress. Background noise also ...

Login Free 30-day Select Access Get full Access

3.6 Behavioral biometrics

Behavioral biometrics are technologies which measure differences in how users interact with the mobile device. Several types of behavioral biometric ...

Login Free 30-day Select Access Get full Access

4 The Smartphone as an Identity Platform

Smartphones are ubiquitous and computationally powerful. Many smartphones have Secure Elements and Trusted Execution Environments that allow for trus ...

Login Free 30-day Select Access Get full Access

4.1 Mobile push apps and out-of-band transaction confirmation

In the realm of online transactions, consumers are concerned about identity theft, one form of which is fraudulent us of payment card information. On ...

Login Free 30-day Select Access Get full Access

4.2 Derived PKI Credentials on mobile devices

Mobile devices, including both tablets and smartphones, are selling better than traditional PC platforms. It is natural for users to want to have the ...

Figure 2: Trusted Execution Environment Architecture

Within the next 1-3 years, derived PKI credentials are likely to be used in many countries around the world. As of 2015, twenty-one countries in Euro ...

Login Free 30-day Select Access Get full Access

5 Standards for mobile authentication

Standards are imperative for security technologies, particularly those involving measurements. Technical standards promote interoperability between s ...

Login Free 30-day Select Access Get full Access

5.1 Fast IDentity Online (FIDO)

FIDO is a standard specification and protocol for strong mobile authentication to traditional web resources. FIDO’s architecture is client-server, ...

Login Free 30-day Select Access Get full Access

5.2 Global Platform secure storage and execution specification

As mentioned in section 4.2, the Global Platform standards organization defines specifications for:

  • Secure Elements for protected storage, includi ...
Login Free 30-day Select Access Get full Access

5.3 FAR, FRR, EER, and measurements

Biometric accuracy is measured in terms of False Acceptance Rate (FAR) and False Rejection Rate (FRR). FAR and FRR are generally inversely proportion ...

Figure 3: FAR vs. FRR and EER, from www.biometria.sk

In the US, NIST does perform biometric accuracy testing for vendors who submit their matching software for evaluation. An example of a successful tes ...

Login Free 30-day Select Access Get full Access

6 Challenges

Mobile biometrics provide an opportunity to move away from passwords and improve usability. However, there are architectural, security, and privacy i ...

Login Free 30-day Select Access Get full Access

6.1 Local vs. Server-based biometric sample validation

Where biometric pattern validation occurs is an important design factor. Server-based biometric validation has the following advantages and disadvant ...

The risk of mobile device tampering can be reduced by using authentication apps that are designed to use SE and TEE.

Local validation of biometric s ...

When biometric samples are stolen from servers, administrators cannot revoke and re-issue fingerprints and faces. The risks of credential loss from s ...

Login Free 30-day Select Access Get full Access

6.2 Registration attacks

At first glance, biometric authentication technologies seem like bulletproof methods for reliably checking identities. But what if malicious actors c ...

Login Free 30-day Select Access Get full Access

6.3 Spoofing attacks and liveness detection

Biometric authentication methods can be defeated by spoofing attacks, that is, the presentation of copied samples to the sensor by unauthorized users. ...

Login Free 30-day Select Access Get full Access

6.4 Biometric method suitability by use case

Fingerprint authentication is both widely available and widely accepted as a form of biometric authentication. It can be used in a large number of us ...

Figure 4: FAR/FRR

In this table, H = High, M = Medium, L = Low. The ratings are on an A-F scale.

The FAR/FRR is a combined measure of false positives and false negat ...

Login Free 30-day Select Access Get full Access

6.5 Secrecy vs. Integrity

In traditional security paradigms, the secrecy of the authentication token is paramount. This is why passwords are supposed to not be shared, and pas ...

Login Free 30-day Select Access Get full Access

7 Recommendations

Biometrics have entered the mainstream as an authentication technology. Mobile devices have native biometric capabilities. Moreover, mobile devices ...

Figure 5: Venn diagram of possible requirements to biometric solutions mapping

The circles are pre-requisites, having biometric capable smartphones, regulatory requirements, and enterprise policy requirements. The points of inte ...

Login Free 30-day Select Access Get full Access

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top