You're Nobody Without Your Mobile Device

The mobile device explosion within the enterprise has opened up countless new technology opportunities, but one that is just now starting to be explored is the idea of turning a mobile device into the ultimate biometric hardware. Apple's pending $356-million acquisition of biometrics hardware manufacturer AuthenTec got pundits' tongues wagging about the proposition of a new wave of mobile-enabled biometric use both inside and outside the enterprise. But a surge in enterprise mobile biometric authentication will depend on how well these controls can be managed and centralized within organizationwide identity and access management (IAM) systems.

Benefits Of A New Form Factor
With powerful processing, a growing number of built-in inputs ready to be used creatively by the right developers, and users' enthusiastic willingness to carry them to the ends of the earth, mobile devices cut through many of the long-standing obstacles to widespread biometric deployment.

"One of the biggest challenges in making biometrics work has been the provisioning of the hardware that physically does the authentication step, and integrating that hardware with the end user's client device," says Darren Platt, CTO of Symplified. In the enterprise environment, he adds, this has meant investing considerably in hardware such as fingerprint readers.

According to Ram Pemmaraju, CTO of StrikeForce Technologies, the cost of hardware or expensive licensing for biometrics like voice authentication has effectively put the skids on widespread biometric adoption within the enterprise.

"That's the reason why adoption rate has been slow," he says. "When that technology is available at really a low cost, we think adoption rate will jump up significantly."

The prospect of embedding biometric hardware and software into the mobile platform not only presents a ubiquitous piece of hardware, but a very flexible one at that. It not only reduces that cost barrier, but it also opens up a world of newly evolved biometric use cases, says Beau Woods, founder of Stratigos Security.

"There are so many potential inputs -- capacitive screens, microphones, cameras, accelerometers, you name it," he says. "And [these devices] have enough processing power to do more advanced pattern matching, too."

But the current input technology isn't quite ready for prime-time, warns Troy Potter, vice president of identity solutions for Unisys, explaining that fingerprint recognition or any technology requiring touch can't be accommodated within the current crop of hardware out today.

"I think where it's actually good is in facial recognition or voice recognition, where it's already built into the phone itself," he says. The high-res photos and quality of microphones make it possible to layer on software that takes advantage of this existing hardware, he explains.

Integration of fingerprint and touch-input hardware and software within popular mobile devices could be on the horizon soon if some industry prognosticators' predictions about Apple's AuthenTEC play hold true. Speculation is still running hot as to what form that may take, whether using the existing touchscreen capability with some software tweaking or including a dedicated fingerprint reader. Also unanswered is what biometrics could be used for, whether to authenticate on the device or to be used as a second form of authentication for outside application. But given that the most recent iPhone 5 announcement is only a few weeks behind us, it is clear that we'll have to wait longer for any signs as to Apple's intentions.

IAM Challenges
The $64,000 question, of course, is how well these biometric-enabled devices can be managed in a centralized IAM strategy.

"One of the headaches that biometric deployments introduce to IAM systems is the idea of authentication scoring," Platt says. "The result of a particular authentication event isn't 'yes, that is Mike' or 'no, that isn't Mike,' but instead 'there is a 92% certainty that it's Mike.'

[ Forgetting something? Don't get caught with your patch down. See 5 Systems Your Forgetting To Patch. ]

This means organizations will have to configure the levels of certainty they will require for a given application based on the organization's risk tolerance in each particular case, he says.

But that's only the start to mobile biometric's challenges. Some skeptics believe that given the mostly consumer-centric design of the typical mobile device, even within many corporate-issued devices this hardware simply couldn't offer the security capabilities necessary to stand-up to enterprise IAM criteria.

"Biometrics on mobile devices will be a nonstarter due to the mismatch between the cost and capabilities of consumer-grade hardware for biometrics and the needs for security and reliability for enterprises," says Phil Lieberman, president of Lieberman Software.

What's more, organizations with BYOD-lenient policies could find the lack of standardization across a diversity of devices posing added difficulty in processing biometric data fed into the IAM system.

"The management of biometric data is a nightmare due to lack of standardization, as well as the secure storage and secure retrieval and verification in a mobile setting," he says.

Next Page: IT between a rock and a hard place. This standardization issue would stick IT between a rock and a hard place with regard to mobile biometric adoption. Corporate-issued mobile devices could provide a degree of uniformity that would make it easier to f biometric mechanisms from them into the greater IAM ecosystem. But that strategy could hamper user acceptance, as employees are likely to carry their own personal phone as a primary device.

But the decision to use biometrics within a BYOD model could be less of a yes-or-no choice and more of a case-by-case option for identity assurance, Symplified's Platt says. Regardless of who owns the device, he believes that enterprise success will depend on how well the device can tap into federated identity protocols.

"The key to unlocking this value will be the way that the consumer device providers enable federated authentication protocols -- like SAML or OAuth," he said. "Done right, this will allow carriers to provide authentication to apps and services provided by third parties, including e-commerce websites and financial services providers."

Finally, enterprises will also have to deal with what lost or stolen devices mean for the ultimate integrity and convenience of their IAM infrastructure.

"To the degree that biometrics on these devices store sensitive information, such as centralized authentication information or other passkeys associated with biometrics, this is a potential risk," says Justin Strong, senior global product marketing manager for Novell. "Beyond this, IT must deal with how to resolve people who lose devices they had come to depend upon to access everything in their daily routine."

Embracing The Opportunities
In spite of the challenges, those like Strong believe that biometrics on mobile devices open up a world of IAM opportunities within the enterprise.

"With organizations trying to make the smartphone not only our most attached possession, but also a new form of currency, biometrics probably has a critical role to play," he says.

Strong believes that on a mobile device, this could extend well past simply authenticating access to email or information on the device itself and extend it into a commonly accepted method for granting access to the far reaches of enterprise assets.

"Imagine using your smartphone to authenticate who you are, then open the door to your office," he says.

According to some, if deployed well, mobile devices could provide the means to finally offer additional identity assurance on a wide-scale basis without having to deal with the inconvenience of tokens or the flimsy security of PINs.

"I think it will open up some opportunities, especially if organizations want to provide that extra identity authentication assurance to the staff that are logging into their systems," Unisys' Potter says.

Additionally, even though BYOD does add complications to the equation, biometrics on these devices has the potential to solve one of the most nagging general issues of BYOD: containerizing and securing corporate data away from private data.

"In a BYOD environment, a user might have a different profile to access the enterprise environment and data from his or her personal device," says Shivesh Vishwanathan, senior mobility solutions architect for Persistent Systems. "Biometric authentication can become the additional security entry point to this profile and to the more secure enterprise environment."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.