You're Nobody Without Your Mobile Device

The mobile device explosion within the enterprise has opened up countless new technology opportunities, but one that is just now starting to be explored is the idea of turning a mobile device into the ultimate biometric hardware. Apple's pending $356-million acquisition of biometrics hardware manufacturer AuthenTec got pundits' tongues wagging about the proposition of a new wave of mobile-enabled biometric use both inside and outside the enterprise. But a surge in enterprise mobile biometric authentication will depend on how well these controls can be managed and centralized within organizationwide identity and access management (IAM) systems.

Benefits Of A New Form Factor
With powerful processing, a growing number of built-in inputs ready to be used creatively by the right developers, and users' enthusiastic willingness to carry them to the ends of the earth, mobile devices cut through many of the long-standing obstacles to widespread biometric deployment.

"One of the biggest challenges in making biometrics work has been the provisioning of the hardware that physically does the authentication step, and integrating that hardware with the end user's client device," says Darren Platt, CTO of Symplified. In the enterprise environment, he adds, this has meant investing considerably in hardware such as fingerprint readers.

According to Ram Pemmaraju, CTO of StrikeForce Technologies, the cost of hardware or expensive licensing for biometrics like voice authentication has effectively put the skids on widespread biometric adoption within the enterprise.

"That's the reason why adoption rate has been slow," he says. "When that technology is available at really a low cost, we think adoption rate will jump up significantly."

The prospect of embedding biometric hardware and software into the mobile platform not only presents a ubiquitous piece of hardware, but a very flexible one at that. It not only reduces that cost barrier, but it also opens up a world of newly evolved biometric use cases, says Beau Woods, founder of Stratigos Security.

"There are so many potential inputs -- capacitive screens, microphones, cameras, accelerometers, you name it," he says. "And [these devices] have enough processing power to do more advanced pattern matching, too."

But the current input technology isn't quite ready for prime-time, warns Troy Potter, vice president of identity solutions for Unisys, explaining that fingerprint recognition or any technology requiring touch can't be accommodated within the current crop of hardware out today.

"I think where it's actually good is in facial recognition or voice recognition, where it's already built into the phone itself," he says. The high-res photos and quality of microphones make it possible to layer on software that takes advantage of this existing hardware, he explains.

Integration of fingerprint and touch-input hardware and software within popular mobile devices could be on the horizon soon if some industry prognosticators' predictions about Apple's AuthenTEC play hold true. Speculation is still running hot as to what form that may take, whether using the existing touchscreen capability with some software tweaking or including a dedicated fingerprint reader. Also unanswered is what biometrics could be used for, whether to authenticate on the device or to be used as a second form of authentication for outside application. But given that the most recent iPhone 5 announcement is only a few weeks behind us, it is clear that we'll have to wait longer for any signs as to Apple's intentions.

IAM Challenges
The $64,000 question, of course, is how well these biometric-enabled devices can be managed in a centralized IAM strategy.

"One of the headaches that biometric deployments introduce to IAM systems is the idea of authentication scoring," Platt says. "The result of a particular authentication event isn't 'yes, that is Mike' or 'no, that isn't Mike,' but instead 'there is a 92% certainty that it's Mike.'

[ Forgetting something? Don't get caught with your patch down. See 5 Systems Your Forgetting To Patch. ]

This means organizations will have to configure the levels of certainty they will require for a given application based on the organization's risk tolerance in each particular case, he says.

But that's only the start to mobile biometric's challenges. Some skeptics believe that given the mostly consumer-centric design of the typical mobile device, even within many corporate-issued devices this hardware simply couldn't offer the security capabilities necessary to stand-up to enterprise IAM criteria.

"Biometrics on mobile devices will be a nonstarter due to the mismatch between the cost and capabilities of consumer-grade hardware for biometrics and the needs for security and reliability for enterprises," says Phil Lieberman, president of Lieberman Software.

What's more, organizations with BYOD-lenient policies could find the lack of standardization across a diversity of devices posing added difficulty in processing biometric data fed into the IAM system.

"The management of biometric data is a nightmare due to lack of standardization, as well as the secure storage and secure retrieval and verification in a mobile setting," he says.

Next Page: IT between a rock and a hard place.