If an employee used his index finger to open a door at one company and then changed jobs would his new employer be happy for him to use the same finger to access the door to his new office? Of course, there are other forms of authentication such as voice verification and facial recognition and all are potentially a good fit for smart phones. However, these technologies are even further away from mainstream adoption than fingerprint authentication and face the same basic challenges – on the whole, authentication that is based solely on ‘things you have’ rather than ‘things you know’ can be somewhat limiting and inflexible.
The last – and possibly the most pertinent – issue with biometrics is that, like everything else, it can be hacked. The movies have us focus on the biometric sensors themselves and how they can be fooled by lifted fingerprints or even severed fingers but the reality is more mundane. Authentication and authorization decisions are taken on or at least pass through the phone, many of which are relatively open and can be easily compromised – why fake the fingerprint when you can just fix the decision. Stories of biometric cracking as has already happened in the case of the new iPhone and no-doubt there are more to come.
Of course, even if biometrics does succeed in delivering incremental security that is easy to use and holds up adequate defences, it will be of little use if it remains a closed technology, solely for the use of the phone manufacturer. We will only really see this innovative authentication method taking over the mass market if pioneers like Apple or Android open it up so that app developers and the organisations that approve the use of mobile devices can take full advantage of it.
So far I’d focused on the biometric technologies but it’s vitally important to not lose sight that authentication and authorisation are processes and that the scope of those processes are always changing. One of the current trends in this space is a shift to a more dynamic approach. In many situations merely presenting a credential to gain access needs to be augmented with adaptive secondary controls. Risk based systems can enable additional security levels to kick in as and when needed.
This is where behavioural analytics will play an increasingly important role, allowing factors such as the type and volume of data being accessed to prompt additional authentication stages and assessment of the time of day and location to be matched against an employee’s ‘normal’ behaviour to detect any discrepancies.
This type of analytics has been used in the online payments arena for years will likely be applied to a much broader set of enterprise situations in the future. There will also be an increasing use of more sophisticated attribute-based controls where authorisation decisions focus more on the user context than the use themselves. For example, a hospital A&E ward may allow access based on attributes such as a ‘nurse with burns expertise’ rather than to ‘Susan’ or a ‘nurse’ in general.