Biometric-based Multifactor Authentication Perfectly Blends Security and Ease of Use
By Anthony Gioeli, VP of Marketing, Biometrics Product Division, Synaptics
Many of us remember those stretch-of-the-imagination science-fiction movies and TV shows in which people were screened by facial and iris scans to access otherwise-off-limits locations. While these futuristic depictions of technology have found success in some government and commercial applications, its use for consumers is still in its infancy. By contrast, fingerprint authentication has been readily adopted on flagship consumer smartphones and laptop PCs. And the attach rates on mainstream and budget models are rapidly increasing due to today’s wider variety of lower cost sensors, the convenience of a password-free user experience, and the rise in mobile payments globally.
What’s next is the combination of multiple biometrics to offer even greater convenience and security. Two or more modes of biometric authentication are a critical path forward for retaining a positive human interface experience while still enabling highly secure data and transactions.
Multi-factor authentication can already be found on a few devices, but the user experience has not been perfected. Iris scanning offers excellent results but is slow and requires additional hardware costs. Voice recognition as a biometric is improving but not yet ready for mobile device usage in noisy environments. Facial recognition is proven and reliable, and the necessary hardware is already on the device, whether smartphone or PC. This makes facial plus fingerprint recognition the best first step forward for multi-modal authentication.
"Multi-factor authentication will be central to the next-generation user authentication and device security experience"
A critical element in piecing together the solution is the multi-factor recognition algorithm. A smartphone or laptop using multi-factor biometric software, for example, can authenticate its user through a fingerprint, a facial scan by the device’s camera, or, depending on the required security needs, both. For example, a user might normally use the phone’s fingerprint reader to authorize a low-value transaction, like buying a cup of coffee, but occasionally opt for facial authentication when the environment dictates, like when wearing gloves. However, for a transaction of a more-sensitive nature – such as making a high-value purchase, accessing a personal record, or transferring money – the device can be configured to require fingerprint authentication and facial recognition to complete it.
What this means for smartphone, tablet and notebook PC makers is a path to enhancing and differentiating their products through an additional, native layer of biometric security. Those device makers have the flexibility to customize how they implement their multi-factor biometric authentication policies such as: fingerprint and face; fingerprint and optionally face; fingerprint or face.
Security can be taken a step further by implementing “trust scores” whereby the multi-factor authentication software assigns a score to the device’s security at a given moment. Each score must meet a minimum authentication threshold before an authentication is achieved, and their combined score raises accuracy. For example, a smartphone may assign a trust score high enough to authorize that cup of coffee mentioned earlier with just a valid fingerprint scan, while authorizing a $2,500 balance transfer between financial institutions would require a higher trust score that can only be earned with a valid fingerprint and face print. But potential security applications for multi-factor biometric authentication don’t stop here. Devices can be set to time-out, for example, if a fingerprint is verified but the required follow-on facial verification isn’t completed within 20 seconds.
The end goal is to provide users with exceptional ease of use, convenience, and security when accessing and making transactions through their intelligent devices. Multi-factor biometric authentication doesn’t benefit just users, however. IT managers responsible for securing and maintaining employees’ company-issued devices can set, according to company policies, the biometrics-based authentication required for device log-in and network access. This eliminates the legacy user name and password security model that’s been the Achilles’ heel of cybersecurity for many organizations.
Multi-factor authentication will be central to the next-generation user authentication and device security experience, and the reasons are compelling. The number of annual transactions made via mobile devices is expected to nearly double by 2019 – to more than one trillion! You can just imagine, then, the countless instances in which users will welcome having a choice among authentication methods, along with the peace of mind from knowing transactions are all the more secure through two or more modes of biometric verification.