Biometrics can't be the be-all and end-all of mobile security

The steady rise of mobile access to the most sensitive databases in your enterprise is likely to keep growing. Despite this, when it comes to mobile authentication, it’s typical for the industry to support the most convenient - but least effective - security options. 

This is why phones first widely adopted fingerprint authentication (which can be impacted by prescriptions, cleaning products, hand injuries, and dozens of other factors) before moving on to facial recognition. Both methods are quick, easy and don't require users to remember passwords and PINs. In addition to this, because it’s your unique fingerprint (or in this case, your unique face) it’s presumed by many to be impenetrable security-wise. 

However, this is not true - on both the anecdotal and practical level. 

On the practical level, facial recognition requires a precise distance from your phone but gives no pre-scan markers to know if you're at the right distance. In studies, facial recognition will reject a scan roughly 40% of the time but will approve those same scans two seconds later. 

In Apple’s early rollout there was an issue where family members were able to unlock each other's phones using facial ID. This wasn’t a situation, as you may be imagining, limited to identical twins and similar-looking siblings. Mothers and their sons, fathers and their daughters, were able to access each other's phones using this feature. 

On the anecdotal, there are already incidents where the seemingly rock-solid security solution has been bypassed. There was a case in China where a man, after putting his ex-girlfriend to sleep with medication, pulled open her eyes to use facial ID on her phone. It worked, and once he got access he stole £18,000 from her account. 

While this was a freak incident, concerns over facial recognition have been growing for quite some time. We have previously covered stories where experts warn on how facial recognition could constitute a security concern. Highlighting a broader problem when it comes to security, that it is always in competition with convenience. 

Facial ID will continue to be exploited by criminals, especially as we grow even more reliant on our phones. It is not an impenetrable form of mobile security, and for this reason, we not only need more stringent standards for authentication but multiple forms of it on our devices. 

Some experts suggest behavioural analytics beyond using fingerprint and facial data may be the key to improving the security of our phones. This includes authentication methods that take into account user typos, their exact typing speed or the angle they hold their phone. These will add additional security, as they are both personalised and difficult to fake. As behavioural analytics works quietly in the background, this could make our  security more robust and convenient by identifying personal characteristics without burdening the user. 

Ultimately, effective security requires a multi-layered approach. The first and most critical aspect of this approach is maintaining a security-first mindset throughout your organisation. You need to ensure you're mandating a robust approach to authentication amongst both higher and lower staff, and your company has regular reviews. 

This is so important because the biggest reason security fails, again, is that convenience trumps tried and tested procedures. People are unaware of or not thinking about security risks, and just want to access their devices in the easiest way possible. This is why regularly reviewing authentication across your organisation is important, because security erodes as employees forget the risks and just want to get on with their work. 

This is an especially huge risk with mobile devices, as we use them professionally and personally so frequently and extensively. We use phones for communication, entertainment, shopping, research, scheduling, booking appointments, exercising and even meditating. We are opening and closing our devices and accounts constantly. 

With this in mind, biometrics can’t be the be-all and end-all of mobile security in your organisation. It has to be one of a half-dozen factors. Your approach may combine weaker methods, like passwords, PIN’s and weaker biometrics for low priority accounts, and more stringent methods involving behavioural analytics for high priority accounts, like online banking.

Whatever approach your organisation takes, it must be multi-layered, multifaceted and influenced by a security-first mindset. 

Image Credit: Adobe Stock