A rise in data breaches has enterprises rethinking user authentication. Biometrics stands out as a way to harden security without imposing friction on UX. However, not all approaches are as secure as they might seem. Here are five important differences between consumer and enterprise-grade biometric authentication highlighted by Alexey Khitrov, president and CEO at ID R&D that you need to know. Â
Consumers today place a high value on convenience and nearly everyone agrees that passwords are not convenient. Increasingly, mobile apps are allowing users to enable device-based biometrics – like Face ID or Touch ID on the iPhone – to bypass frustrating login practices.Â
Sounds amazingly simple, right? It is. But is it secure?Â
The Problem With “Consumer-Grade Biometricsâ€Â
The biometric capabilities on modern mobile devices were initially designed to make it easier and faster for users to unlock their devices. These biometrics are a part of the consumer’s device, thus the term “consumer-grade†biometrics.Â
Considering the fact that the average mobile user unlocks their device 150 times a day, this is a popular UX feature. But when enabled, users still have the fallback of using their passcode or swipe pattern to authenticate. Herein lies the problem. Whoever controls the passcode can easily enroll their biometrics on the device.Â
On an iPhone it’s as simple as going to settings, entering the device passcode again, and clicking “Reset Face IDâ€. In other words, the capability is only as secure as a device passcode.Â
Many applications have password policies that include length and types of characters required. These policies are certainly not satisfied with a 6-digit numerical code.Â
App developers who allow users to bypass login with device-based biometrics, whether they realize it or not, sacrifice security for convenience and open up customers and the business to risk.
Learn More: Behavioral Biometrics Can Tackle Bad Online Behavior Amid Remote Work Surge
The following four scenarios illustrate the vulnerabilities.
Attack Scenario #1
Someone who knows or can guess your device passcode – maybe a bad roommate, scorned ex, or sneaky teenaged child – unlocks your device and resets the Face ID to be their own. Would you be surprised to learn that if you have accounts set to “enable Face ID†for login, they can probably access them? Give it a try.
Attack Scenario #2
Your mobile device is stolen. A quick Google search will result in a variety of ways to quickly hack a phone lock code or pattern including this detailed article. Not to mention the fact that many people use weak passwords Opens a new window and passcodes based on easily accessible information like birth dates. While it’s a less likely scenario, a successful hacker could crack the device unlock and then follow the steps in Scenario 1 to transfer bank funds, cash out investments, or access personal information.Â
Attack Scenario #3
In this scenario, your mobile number is compromised through SIM swapping. This happens when a fraudster contacts your wireless carrier and uses your personal information to convince a call center employee that they are you. Once the hacker controls your number, they can easily reset your application passwords and take over your accounts. Because consumer-grade biometrics are merely a substitute for a password and not a second factor they do nothing to protect the user in this attack scenario.
Attack Scenario #4
In another form of Account Takeover, hackers use phishing attacks or the Dark Web to acquire account passwords. They often use social engineering tactics to persuade contact center agents or other employees to reset or divulge passwords. The fraudster may also claim having a new device. Like the prior scenario, the use of consumer-grade biometrics is not a second factor independent of the phone and therefore cannot be leveraged to help legitimate users easily regain access while keeping criminals out.Â
All four of the outlined attack scenarios can be prevented with the use of “enterprise-grade biometricsâ€.
Learn More: How Biometrics Is Becoming the Security of the Future
What Is Enterprise-Grade Biometrics?
Unlike on-device biometrics, enterprise-grade biometrics are deployed directly within the enterprise mobile application, providing an authentication factor that is separate from the device. Because the biometrics are independent, they are not tied to a specific device, but rather to a specific user. The result is significantly stronger security while still delivering a frictionless user experience.
Five Advantages of Enterprise-Grade Biometric Authentication
1. Puts the enterprise in control of the Security Level
Building biometric capabilities into the enterprise system empowers the enterprise to decide how and when to apply biometrics as a factor in the authentication process. As such, they can enforce the same security level and user experience across all types of devices.
2. Provides a True, Independent Authentication Factor
Enterprise-grade biometrics deployed in the application function independently of the device and thus provide a second “something you are†factor in addition to the device (“something you haveâ€). The customer can upgrade or replace their device at any time without having to re-enroll and without losing access. The enterprise can also implement multiple biometrics for even stronger security as needed – for example, using face and voice biometrics together.Â
3. Defends the Enterprise from Account Takeover Attacks and Fake Account Setup
If a user’s mobile device is lost, stolen or otherwise compromised, enterprise-grade biometrics protect against account takeovers as a fraudster cannot reset them (even if they reset the device biometrics, they will not gain access). Additionally, enterprise-grade biometrics provide a reliable way to verify identity without using weak knowledge-based authentication tactics which are vulnerable to social engineering. Â
4. Works Across a Variety of Communication Channels
Because the biometrics are tied to the user, not the device, the enterprise may extend biometric login to additional channels and devices – from web portals to chatbots to the call center – without the user having to re-enroll. For companies looking for a true passwordless customer journey, this is an important characteristic of biometric authentication.
5. Flexible Performance and Sophisticated Algorithms
Manufacturers build devices with a range of hardware features and capabilities. When using consumer-grade biometrics, performance is limited to the device. Enterprise-grade biometrics not only offers flexible configuration and dynamic security decisioning capabilities, but also the ability to supplement on-device performance with powerful GPU-based algorithms and processing on back-end servers.Â
Learn More: Do Biometrics Protect Your Data or Put Your Identity at Risk?
Building Better Apps with Secure, Frictionless Biometric Login
Strengthening security without sacrificing the user experience has historically been a difficult task. Biometric authentication offers an accurate, convenient, and low effort way to secure access. However, it’s critically important to understand that not all biometrics meet enterprise security requirements. While consumer-grade biometrics deliver on convenience, they do not provide the level of security needed to protect the enterprise and its customers.Â
Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!