This article can also be found in the Premium Editorial Download "Information Security magazine: Market for vulnerability information grows."
Download it now to read this article plus other related content.
Smartphones can be pesky little endpoints. With their small size and their tendency to get lost, you can’t be sure if the smartphone requesting network access is really in the hands of a trusted employee, or if a malicious hacker is using someone else's device to access privileged data or other network resources.
SDKs enable VARs to integrate the fingerprint reader with network access software at a corporate site, or develop their own applications utilizing the reader.
Using strong mobile device authentication technology can reduce the risk posed by mobile devices, and one of the strongest technology options available today is biometric mobile authentication. This tip examines three biometric authentication methods that can add an extra layer of security to your customers' smartphones.
Making the case for smartphone biometrics
Authenticating users of smartphones and mobile device users has become imperative in today’s world. Laptops have long required user authentication since they can typically be used to access a broad swath of confidential data and email. Now smartphones are used in the same way and often receive the same broad network and data access as notebooks, thus they require the same level of security and authentication.
Usernames and passwords/tokens have been effective mobile device authentication methods in the past, but recent malware attacks have demonstrated that additional steps must be taken to prevent unauthorized access to highly sensitive data via smartphones.
For example, the Zitmo variant of the Zeus Trojan has infected thousands of Android-based phones. So far, hackers have focused on bank login credentials, but coupling the same malware technology with spear phishing could enable an attacker to gain access to an enterprise. For situations like this, biometric authentication can add an additional level of security.
Comparison of biometric authentication methods
Biometric authentication methods and technologies are based on a physical characteristic of the user, and are therefore difficult for an attacker to copy. Available types of biometric authentication include:
Channel partners must keep up with developments in these areas and be able to explain to customers the relative advantages and disadvantages of each biometric authentication approach.
Fingerprint authentication is a highly secure form of authentication since every individual’s fingerprints are unique. The choice of phones with a built-in fingerprint reader is currently limited. Motorola Inc. has introduced the ATRIX 4G, an Android phone with an integrated fingerprint reader, and the recently introduced Fujitsu REGZA Phone T-01D also includes a fingerprint reader. Both phones utilize AuthenTec Inc.’s fingerprint sensor.
Smartphone users initialize the fingerprint facility by following screen prompts to swipe each index finger across the reader. Unlocking the phone then requires a swipe by one of the two registered fingers. Use of the fingerprint reader can be overridden by entering a PIN.
Fingerprint readers can control access to smartphones, but they don’t integrate with network access software. Software development kits, or SDKs, available from such vendors as AuthenTec Inc., Innovatrics and Neurotechnology, enable VARs and integrators to integrate fingerprint readers with network access software at a corporate site, or develop their own applications utilizing a reader.
Let's briefly touch on each product. The AuthenTec product, based on the AuthenTec sensor, is used in Motorola and Fujitsu phones. The Innovatrics product integrates external fingerprint readers. Originally designed for PCs, the product has been adapted to support Windows-based smartphones. The Neurotechnology product was also designed to support external readers connected to PCs. The company has adapted its software to integrate with Android, and supports AuthenTec’s and other vendors’ external fingerprint sensors.
Voice recognition performs authentication by matching the smartphone user’s voice against a pre-recorded sample. No specialized hardware is required since all phones include a microphone. Voice recognition is not appropriate for phone users who need to access their phones to check email during meetings, presentations or other events when speaking into the phone is not acceptable behavior.
Other Biometric Devices
The safest type of biometric devices
Integrating biometric devices with in-house software
PhoneFactor Inc. offers multifactor authentication for any model smartphone. Users must provide a username/password and PIN, and then speak a passphrase that matches a previously recorded voiceprint. The vendor’s software is installed on the customer’s site and executes on the site’s server so it’s not necessary to develop software for the phone. An SDK is provided so partners can integrate PhoneFactor with other server-based applications.
PerSay Ltd., recently acquired by Nuance Communications, also offers a product that requires a caller to authenticate by repeating a passphrase. In addition, the firm offers a product that requires no passphrase, but monitors the caller’s speech for several seconds to determine whether the caller’s voice matches a pre-recorded sample. All software executes on a server at the customer site.
Facial recognition, iris scanning, retinal scanning
Facial recognition performs authentication by matching the picture taken by the phone’s camera to a previously taken picture of the authorized user. Nearly all phones now include a camera, making facial recognition a readily available biometric option for a wide variety of customers. Facial recognition may not be a good choice for customers who often use their phones in low-light environments.
There are many available apps providing facial recognition for Android, BlackBerry, iPhone and Windows Phones. For example, Animetrics Inc., BluePlanetApps and Visidon Ltd. offer a variety of products, as well as SDKs that VARs and integrators can use to integrate with network access software.
Iris or retinal scanning technology has not yet been made available to consumers, but B12 Technologies’ Mobile Offender Recognition and Identification System (MORIS) product is currently in use by police forces.
For many customers, passwords, PINs or security tokens provide sufficient security. For others, smartphone biometrics -- used alone or in conjunction with other authentication methods -- provide the extra security needed to assure the safety of high-value data and transactions.
Before recommending an authentication method, solution providers must consider each customer’s unique requirements and the environment where the phone will be used. Consider the types of information that employees will access or download to their phones. Would the information be valuable to an attacker? Consider a CFO accessing quarterly numbers from a WiFi hotspot prior to public release. This is the kind of situation where the extra security of a biometric control is needed.
Assisting customers in assessing and implementing biometric authentication products is an important value-added business opportunity for solution providers. Not all customers will need to invest in biometric authentication or want to burden employees with additional steps to access corporate devices and data. Simply ask customers to consider the cost of dealing with a potential security breach. In many cases, faced with the results of this analysis, customers will decide to invest in the extra layer of protection that biometric authentication provides.
About the author:
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.
This was first published in December 2012