This is beyond amazing. So far – this month – three different issues with mobile biometric authenticators have been discovered. That’s correct – during the first three weeks of October issues were discovered with three different biometric authenticators, each on a different device. Three issues on three different biometric authenticators on three different devices in three weeks. Sorry to be so repetitive, but this is astonishing.
In turn, this is my third blog – this month – discussing the impact of mobile authentication bugs. I think it’s fair to say that how we deal with authenticator bugs needs to be seriously reconsidered.
The most recent flaw discovered is with Google Pixel 4’s face biometric authenticator in which the face biometric will verify users when their eyes are closed. This doesn’t mean that anyone can bypass the authentication, but if someone held the phone up to a sleeping Google Pixel 4 owner, the device could be unlocked. The primary concern here is a nefarious family member, but it could happen anywhere the owner may fall asleep with their phone nearby, as sometimes happens on public transportation.
This particular bug is not as impactful as the bugs in my previous “bug” blogs, but it’s an indicator of something deeper. The previous two blogs on mobile biometric bugs (IOS Touch Bug and Galaxy S10 Fingerprint Reader Bug) focused on why organizations need a more agile authentication architecture to better react to these types of newly discovered flaws. While this message is certainly pertinent to this latest finding, let’s change our focus a bit here and discuss a more general issue that doesn’t seem to be considered in most authentication approaches used today.
While many companies are leveraging the power of biometric authentication, what’s being lost is that each authenticator on each device does not perform quite the same. That is, Apple’s Face ID, generally considered to be one of the best face biometric authenticators in the market, will likely perform at a different level of trust than other face biometric solutions on different devices. The problem is that most companies treat all face biometric authenticators the same across all devices.
As more devices and more hardware-backed biometric capabilities are rolled out, the performance gap between authenticators will likely get wider. Authentication trust levels must be assigned by considering each authenticator and authorization level required for what the user is trying to do. Only then can a company accurately determine whether current authentication levels are sufficient or whether more authentication is necessary.
Face authentication is definitely convenient, but it may not be sufficient for some high-risk activities. While you might want to allow it for most activities a user typically does, you also need to identify the higher risk activities where a specific face authenticator, or any other authenticator, by itself, is not sufficient. Or you may determine that face authentication from one provider may be sufficient for certain transactions based on its determined trust level, whereas face authentication from a different provider may be insufficient for that same transaction.
The only way to accomplish this and maintain it in a continuously changing environment is through agility. Transmit provides agility by decoupling the authentication process from the application so that identity-related changes can be implemented quickly and simply without having to touch application code. As we saw with the Samsung bug and Apple bug, things do change quickly.
If you want to learn how you can always stay ahead of the inevitable bugs in any operating system and have the flexibility to instantly modify trust levels associated with the broad range of authenticators being used, contact Transmit Security now.