Thursday, September 20, 2007

Biometrics Go Mobile: An industry whose time has come?

Biometric Sensor enabled Pantech mobile phoneIn recent years there had been significant advances in the solutions and technologies that provide biometric sensing solutions. The technology is now offered from vendors to OEMs to embed into laptops, security systems, law enforcement agencies etc. It also offers different methods to authenticate the user based on finger-scan, iris-scan, facial-scan, voice-scan, signature-scan and more.

Introducing biometric readers into mobile phones isn't a new thing: back in 2004 Pantech's GI100 had a biometric fingerprint reader that used remote algorithms to authenticate the user. Further, there were 10 fingerprint 'stores' that would allow speed dialing to a number based on which finger was identified. Also, the phone saved no log of any phone call made from a registered signature, making it very confidential.

When it comes to mobile, it seems like this industry had suffered from what many early solutions see, which is not enough maturity to substantiate a 'pull' for a commercial solutions. In the past, for example, with voice calls and some messaging being at the core of the mobile experience, there was limited motivation for theft and fraud (and hence creating security applications).

Good news, the horizon of applications and services coming to mobile handsets have changed dramatically:
  • Protecting personal digital assets: increasingly people will be encouraged to use the phone's computational power, connectivity and storage to turn their phone into a truly 'PDA': from their complete address book, personalization of their phone, blogging about their personal life through to their credit card data, downloading (and sharing) content, and much more. They will want to protect that.
  • Protecting business digital assets: Whether a sales person on the road with all of his company's prospects in his phone's address book, an investor with sensitive financial data or planning on an excel sheet, a military or secret service agent carrying sensitive data on their PDA...(high end) phones can now carry documents, emails, and addresses that could all be extremely sensitive. Several companies identified the need to identify when the device is indeed lost, secure the data once the device is lost, and then how to retrieve the data. Once the device is lost, do you use the device connectivity to connect to the operator and locate it, do you lock down the device to guard it against remote or local hackers...A lost device is a pain
  • Protecting e-commerce transactions: this is perhaps the most energetic change that is coming to mobile these days. Mobile banking, payments, promotions, loyalty, coupons, name it. They all require an identity, security, tied into financial information and/or transaction. It is a promise of increased transactions of connected people on the move. BUT- it requires the audience faith in a secure system. This is a promise that has tsunami forces driving it, and will be very attractive to hackers
  • Multiple user accounts or 'speed actions': as phones get more capable and centralized to people's lives, people may want to set up separate 'home:work' profiles, set speed actions, separate accounts, all of which can be activated in one quick fingerprint scan
  • Device recovery: users can 'unlock' locked devices whether intentionally or if the device got lost. Biometric authentication is a perfect solution to help the right user to recover their phone and otherwise lock the phone from hackers
Passwords on mobile are clearly a problem: if it wasn't annoying enough to memorize your bank of passwords, now try typing it on that 12-key keypad. Good luck!.
From Authentec's motivation page: "Passwords, once perceived as a simple security solution, have become cumbersome, vulnerable, expensive and prone to misuse. On average, individuals have to remember 30 passwords and companies often spend $25 to $100 annually per employee to resolve password problems."

SecurePhone is one company that not only attempts to authenticate the user with biometric measures, but they look to provide authenticity 'signing' to the content of a voice call:
"The aim is to enable users to exchange information that can't be disputed afterward. That could be a voice recording that is authenticated to eliminate any doubt about who the speaker is, what they actually said and prove that it has not been manipulated,...To achieve that it is necessary to digitally sign the data and to ensure that only the legitimate user can perform the signing."

A description of SecurePhone's solution reveals 3-level authentication, that requires no hardware addition to the phone:
"The system, which is designed primarily for PDA-phones but could also be used in new generation smart phones and WiFi-enabled PDAs, offers three methods of biometric identification. One employs the (1) digital cameras that have become commonplace in mobile devices along with a face recognition application to identify the user based on their facial features. Another uses (2) voice recognition software – also detecting any asynchrony between speech and lip movements - and the third verifies the (3) handwritten signature of the user on the device's touch screen. The three methods are used in combination to enhance the overall levels of security and reliability, and most importantly they require no hardware additions to mobile devices"

The technology for biometric sensors has hugely matured and sophisticated in recent years. Handset vendors can now accomplish biometric user authentication by utilizing existing components or by adding dedicated hardware sensors from vendors like Authentec and others.
The market need for robust user authentication is mature, and biometric user authentication is an ideal solution to accomplish that.

I think a lot will happen in this space soon, I'm going to watch this space...

1 comment:

Jen Bannan said...

Great article, Amir. There are many benefits of fingerprint biometrics integrated into cell phones:

* Fingerprint security is about the individual’s security and privacy. The more that phone has in it, including pictures, emails, contact lists and money, the more interest there is in security.
* The fingerprint information never leaves the phone and thus there is no concern with large databases of fingerprints. Even in the payment authentication mode, only an authentication code leaves the phone, similar to a digital signature.
* Today, RFID card transactions are usually limited to about $80. With the fingerprint sensor, the transaction level can increase. This benefits all the parties including the merchant, the credit card company and, most importantly, the consumer.
*No new equipment is necessary for retailers, since the consumer uses and is accustomed to his/her phone.

Best regards, Jen Bannan, Zer0 to 5ive