Every now and then, authentication technology rears its head in the national consciousness. Last month was such a time, with front page and headline coverage of Apple’s announcement that its two new iPhone models contain fingerprint security scanners – Telegraph, Apple iPhone 5S and 5C: fingerprint sensor and plastic make iPhone 5 debut. Are we finally looking at the much anticipated death knell for traditional passwords and PINs?
There can be no doubt that the introduction of biometrics to secure access to smart phones raises the bar for personal security. The technology brings the potential to not only protect access to the phone and apps directly associated with the phone, but also opens up the prospect of strong authentication to a plethora of third party services accessed from the phone, regular PC or even in person, such as home banking, e-commerce and in-store purchases. In the context of BYOD, strong (free) authentication could elevate the phone to a corporate ally rather than a threat.
However, before we all get too excited, we should remember that security is about swords and shields. Bigger shields lead to bigger swords. While we’ve all been waiting for stronger authentication technologies to hit the mass market, the industry has been forced to deal with smarter and more determined attackers. To date, we’ve been constrained by the relative weakness of passwords - not a particularly impressive shield. As a result there has been a huge investment in behavioural analytics and risk based authentication, layering on other defences that strengthen the overall picture. This approach acknowledges that strong authentication is about identifying a person in the context of what they are trying to do, not just proving the validity of the token they are holding. Of course, the more sensitive the information to which they are trying to gain access, the more stringent the access controls will be.
The introduction of context in the decision making process for authentication raises some interesting issues about data protection. Personal information in the form of behavioural data, preferences, location, role and entitlements are all rich pickings and have value for attacking other systems as well as providing useful input into social engineering attacks. All this data needs protecting and the decision processes themselves that access that data must be locked down.
Today’s password authentication systems have shown themselves to be rather poor at protecting the passwords they rely on. In more sophisticated adaptive authentication schemes, the burden of data protection will be greater still and the arrival of biometrics will raise the bar even higher for back-end security.