A Logical Defense Against Attacks on Mobile Devices

When it comes to mobile security, pairing biometrics with device authentication is a logical defense against attacks.

• By Michael Lynch
• Aug 28, 2017

As increasing numbers of businesses and consumers alike rely on mobile devices to engage and transact, exchanging sensitive financial and personally-identifiable information (PII) along the way, it has become imperative that new approaches to mobile security be deployed.

There are nearly daily headlines about security breaches at some of the world’s top firms. Long the norm for years, simple username and password protocols for authenticating users are no longer enough for mitigating financial and reputational damage due to fraud.

Many financial institutions, payment service providers (PSPs), retailers and other enterprises looking to leverage the mobile channel to increase customer engagement already realize the inherent weakness of usernames and passwords and are beginning to investigate superior means of authentication. Yet they are also concerned about inconveniencing customers. Businesses of all types are recognizing the benefits of a multi-layered approach to mobile security including the latest biometric and device authentication measures to reduce friction, improve the customer experience and still create a strong defensive posture against attacks.

The Problem with Passwords

Passwords have been considered problematic within the information security community for a decade. According to a study by KeeperSecurity, the most popular password in 2016 was 123456, with the word “password” in the top 10. In addition to guessing, fraudsters can steal passwords through phishing, keylogging and network interception.

The reason for simplistic passwords and password recycling (using the same or slightly varied password across different sites) is consumer frustration with forgetting their passcodes. As mobile and online adoption continues to increase, organizations have begun to embrace fingerprint biometrics as a way to reduce password fatigue, eliminate the headaches involved in dealing with stolen credentials, and to reduce friction along the transaction lifecycle.

Fingerprints: Leading the Biometrics Revolution

Biometrics are typically broken into two distinctive categories, physiological and behavioral. Physiological characteristics include fingerprints, DNA, irises, faces, and even odor. Behavioral characteristics include typing rhythm, gait and voice.

First out of the gate to the mass market has been fingerprints. According to a study by Juniper Research, fingerprints are the most common form of biometric authentication – and consumers like it.  Research by Gigya showed that 80 percent preferred biometrics and perceived them as more secure than usernames and passwords, which they, of course, are. Gigya also found that nearly half of the millennial respondents used one or more forms of biometric authentication. Fingerprint scanning was by far the most used at 38 percent, with voice recognition at 15 percent, facial recognition at 11 percent, and iris scanning at 5 percent.

Fingerprints are popular with consumers because they are convenient.  Other forms of biometric authentication, such as attempting voice recognition by speaking into a phone in a noisy or public environment, for example, are not always convenient or easy, but using a thumbprint is both quiet and inconspicuous.

User authentication via fingerprints solves customer frustration and strengthens security simultaneously, but fingerprint authentication alone is not the silver bullet for mitigating fraud.

Device Authentication: The One-Two Punch

Deploying one layer of biometric authentication may not be enough to secure mobile transactions, however. Biometrics fulfill the “something you are” component of multi-factor authentication (MFA), and while deploying more than one mode of biometric authentication can fulfill MFA requirements, to strengthen authentication further, organizations should also employ “something you have” or “something you know” conditions – but that can re-introduce points of friction into the transaction workflow for consumers.

The biometric login by itself only proves that the enrolled user is attempting a transaction. Unfortunately, this login gives no insight into the relative security of device itself—in other words, the environment in which the biometric is operating. The device housing the biometric data may be infected with unknown threats, such as application hooking, malware and crimeware designed to bypass the biometric or compromise the information after the biometric authentication is performed.

To truly strengthen security, exceed MFA requirements and ensure a smooth user experience, organizations need to deploy device authentication, fulfilling the “something you have” condition of MFA. When the device itself is authenticated, the environment surrounding the transaction is secured. It is only when one can fully trust the device and confirm the user’s identity that the ultimate device security weapon against fraud—a trusted security token—can be created.

Multi-Layered Security – Your Ultimate Defense

The logical conclusion in the search for the strongest form of mobile device security, then, is for organizations to employ a multi-layered approach that combines the right device authentication solution with biometrics that delivers maximum trust not only in the user, but also in the device itself.

With multi-layered digital device security in place, mobile-optimized businesses can perform device recognition and advanced fraud detection in real time to distinguish trusted users from potential fraudsters. This real-time risk assessment allows businesses to make more confident transaction decisions in a way that is most often invisible to the customer, striking a perfect balance between combating fraud, while continuing to provide a frictionless experience for trusted customers using their preferred device.