Two-factor authentication: Mobile security at your fingertips

Two-factor authentication -- the security process that requires two means of identification, one of which is usually a physical token such as a fingerprint, the other typically being a password -- is more complex than using just one authentication method, but it's a lot more secure. In this tip, Craig Mathias describes why fingerprint recognition is the key to really effective security for essentially all mobile applications.

Farpoint Group has for a very long time now advocated the use of two-factor authentication in all mobile IT applications

(and, for that matter, in all fixed applications as well). Authentication is the proving of a user's identity to the device, data, network, and applications desired, and, ideally, those resources proving they are authentic as well, this being known as mutual authentication. Two-factor authentication involves, well, two factors -- typically something you know, like a password or personal identity number (PIN) code, and something you have, like a hardware token that might be a synchronized password generator or a USB device or smartcard. The two-factor approach is a little more complex than those implementations using just one -- but it's a lot more secure. And a good authentication technique can be used to drive a good encryption implementation as well, so two-factor authentication serves as the basis of a complete security solution -- again, mobile or not.

The second factor can, however, also be something you are -- welcome to a very practical application of biometrics. And the most accessible and reliable biometric element is -- you guessed it -- the fingerprint. Fingerprints, of course, are best known as that staple of crime labs and many criminal forensic investigations, but the rise of small, inexpensive and accurate fingerprint scanners that integrate easily into handsets and similar devices opens a door to a very simple two-factor authentication solution. Swipe a finger and you have easy access to devices, data, networks, IT resources, and data, with authentication and encryption all driven by that simple act. I don't think a security solution can get more convenient -- nothing else to buy and nothing to lose -- and it gets even more flexible than that.

After all, almost everyone has 10 fingers, meaning that 10 different "commands" can literally be right at one's fingertips. You might use one to access the device (with perhaps no PIN code required); another to initiate a particular transaction, such as accessing a banking or financial service; and a third to send an email or IM. The fingerprint sensor itself can be coupled with device navigation functions, and haptics (force feedback, such as vibration) can also be coupled in to complete a very robust user interface indeed. By the way, standards do exist in this space, meaning that solutions are easy to develop and are, to a great degree, portable.

Fingerprint scanners have already been integrated into a good number of handsets, but many of these are available only internationally at present. I think, though, that the ever-growing emphasis on mobile and wireless security will continue to build demand for effective, convenient mobile security solutions, and that's precisely what's enabled via fingerprint recognition. I expect, in fact, that fingerprint recognition may very well become the most popular security (and beyond, as I noted above) solution for mobile devices of all forms.

You can read much more about this in Farpoint Group's latest research paper, The Broad Reach of Biometrics: Fingerprint Recognition and Mobile Security. And think about this: If we couple a fingerprint, a particular handset, and a PIN code or password as required elements for access, we actually have, cheaply and conveniently, three-factor authentication. I think you'd be hard-pressed to find greater security even in government applications. So although there will never be such a thing as absolute security, fingerprint recognition is the key to really effective security for essentially all mobile applications, now and in the future.

Craig Mathias
 

About the author: Craig Mathias is a principal with Farpoint Group, an advisory firm based in Ashland, Mass., specializing in wireless networking and mobile computing. The firm works with manufacturers, enterprises, carriers, government, and the financial community on all aspects of wireless and mobile. He can be reached at craig@farpointgroup.com.

This was first published in December 2008

Dig deeper on Mobile data protection and authentication software

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchEnterpriseDesktop

SearchVirtualDesktop

SearchVMware

SearchCIO

SearchSecurity

Close