Once the domain of high government officials or James Bond Flicks, biometric identification is now commonplace to most anyone who owns a recent smartphone. Fingerprints and facial recognition software are regularly used to unlock phones and fill in passwords. But this sort of technology has an even more sophisticated future—both inside and outside of mobile security.
The mobile experience
Most mobile apps keep consumers perpetually logged in as a means of maintaining a seamless and efficient user experience.
Authentication happens once when the user registers the mobile app or connects it to an existing online account like Facebook or Google.
This strategy may facilitate a frictionless UX, but it is not the best option for safeguarding personal data.
Games and other low-risk platforms are able to get away with this option, while apps containing more sensitive data, such as financial information, cannot afford an easily-exposed environment. Often, banking applications provide customers with biometric logins instead — streamlining the experience while still requiring users to unlock their account every time.
Some applications like Venmo offer PIN and fingerprint authorization features, though they never prompt users to enable it.
Venmo’s PIN and fingerprint enablement screen.
In this case, the company appears to be choosing a smooth UX over maximum security — leaving users logged in 100% of the time by default rather than requiring biometric identification. Given Venmo’s financial nature, this is a controversial choice. Some may argue that they have put the onus of protecting important information in the hands of the user rather than proactively reducing risk.
More security-conscious mobile apps employ a clever system using biometrics to appear password-less.
The customer logs in to the app using their fingerprint or Face ID, which is authenticated by the backend and tied to a mobile keychain containing their password. When the biometric authentication succeeds, it sends the password to the backend and gives the user access to their account.
The biometric component is just a simpler sign-in experience without needing to type the password every time. It’s easy for users because they only need to scan their fingerprint to complete the process. This convenience, more than the security benefits, has driven most mobile apps to adopt this approach.
A banking app warns a user that their credentials will be stored on their phone.
Bringing biometrics to the desktop
While the use of biometric access is becoming commonplace in mobile apps, it is hardly ever seen for websites. Security-sensitive companies tend to rely on two-factor authentication (2FA) instead. This forces the customer to input their mobile number on a website and receive a passcode sent via SMS to their phone, creating significant friction.
The use of biometrics websites and desktop apps is still in nascent stages and, unfortunately, needs further technological advancement to become truly seamless.
The FIDO (Fast IDentity Online) Alliance — a non-profit seeking to standardize security and authentication processes—recommends a biometric log-on method without the transmission of any secret credentials to the backend. Thus, the ubiquitous mobile phone can use its biometric technology to be the authenticating device for website logins.
With FIDO2 becoming a W3C (World Wide Web Consortium) standard, the latest browsers can request for biometrics for authenticating users, paving the way for websites to increasingly offer this experience to their customers in the near future, as it has both excellent user convenience and added security.
The future of biometric adoption
After desktop, the next frontier for biometrics will be kiosks, ATM machines and IoT devices. Like the website example, these devices can identify users through biometric authentication that is pushed as a notification on their mobile phones.
Imagine using an ATM machine where you don’t need your debit card. Instead, the registered smartphone on your account would receive a notification to scan your fingerprint or iris to process a transaction.
The phases of adoption of biometrics in mobile, websites and IoT devices.
While most companies are still developing a strategy, there is no doubt that the ease and added security will propel biometrics to the forefront of identification and authentication. As technology grows in sophistication, it will only become more prevalent.
The gadgets built for James Bond may only exist in Q’s lab, but reality is catching up to fiction in the field of biometrics. The application of this technology has already changed our day-to-day lives, even if the most common scenario involves saving countless hours resetting passwords rather than saving lives.
But, if someone really wanted to build a secret lair accessible only by retinal scan, they totally could.