As part of The Cyber Hut’s anecdotal community polls, we asked as an end user, what is your favourite biometric authentication option? The rise of device specific biometry to unlock our Android and iPhone based devices has increased in the last 3 years and many smart phone users will chose this over a basic PIN (albeit PIN is likely still needed after a hard reset).
64 people responded and face recognition won – but only just, with the fingerprint only 7 percentage points behind in second. Interestingly behaviour based approaches fell considerably behind the others – finishing last with only 5%. The rise of concepts like continual authentication (see both the NIST and US DoD documents on zero trust reference architecture as they mention concepts such as continual authentication many times) would potentially require ideas such as movement monitoring.
I still think there are some disagreements in the industry around what continual authentication actually means – alas, the use of post biometric login event movement and handling analysis could provide continual verification of the session binding process. So for example a local biometric event unlocks access to a private key in order to complete a FIDO/FIDO2/WebAuthn style interaction. So what happens post authentication? (this is a question I answer in the recently released Authentication Design and Management course actually). Typically a session or perhaps an access token is issued back to the mobile device. Then what? Well that token or cookie is presented to another service in order to gain access. It’s typically during this stage that the behaviour or movement aspect comes – perhaps with the device SDK generating a risk score pertaining to observed changes in movement – which is presented to down stream services asking for cookies or access tokens?
Alas this is just a rough sketch and lots of issues with the above, but the continual aspect can’t continually ask for a biometric for example.
Anyway, movement checks clearly aren’t in favour for respondents to this poll.
It seems face recognition is currently in vogue. A few comments though. Certainly you need to look at your device to interact with it – which makes it incredibly convenient as a means to unlock. However there are examples of the unlocking aspect also interfering with the application interaction – for example “I only meant to check the notification, not unlock/approve/accept”. The act of “looking” at the device clearly doesn’t require any further affirmative action – unlike a finger print which can be introduced more as an abstract step in a particular acknowledge-accept-continue style flow.
The familiar use of facial imagery also helps with the growing popularity of identity based authentication. Raised by vendors such as 1Kosmos and Keyless amongst others, this concept links together the role of authentication with a strong level of identity assurance (aka NIST 800-63 IAL). The identity assurance level being increased by the virtue of binding a government issued document (say passport or driving license) with a recent selfie image – along with a liveness check. This live image is corroborated against the image in the document to help define assurance attributes of the identity. The use of facial authentication will clearly help with awareness and the subsequent flows involved with enrolment and usage.