Farpoint Group Technical Note — November 2008
N o matter what the IT application, the requirement for strong, reliable authentication and encryption has reached the forefront of the information and network security de- bate. Authentication, of course, is the user proving his or her identity to the network and information resources hosted thereon, and, along with encryption, authorization (tying individual users to specific capabilities allowed) and accounting, forms the backbone of an effective network and information security strategy. But IT security solutions must be reliable without being expensive or complex, and thus the debate about how best to implement the au- thentication function, especially on mobile devices.
Farpoint Group has long advocated the use of two-factor authentication in essentially all en- terprise (and certainly government) settings without regard to the size of the organization. We’d also suggest, even for consumer applications, that two-factor authentication is about to emerge as a core requirement across the board – it’s that important. By way of definition, two-factor authentication is best described as “something you have plus something you know”, thus the two factors. The “something you know” is most commonly a password or per- sonal identity number (PIN code). Properly chosen so as to be non-obvious, and thus other- wise unrelated to a specific user and not subject to a dictionary attack (literally, attempting to break the secured system with words from a dictionary), passwords are a good start and will likely be with us for some time. To this point, the “something you have” has usually been a hardware token of some form, perhaps a smart card, synchronized password generator, or USB key. But, as we shall explore below, the “something you have” is not commonly found in most security solutions, because these items have traditionally been expensive and the result- ing solution often complex.
Hence an obvious drawback with two-factor solutions: they involve an additional component which may have significant associated expense, may be inconvenient to use, and which is sub- ject to loss, damage, theft (and consequential misuse), and failure, all usually at the worst pos- sible time. This state of affairs has motivated the use of biometric security solutions, or some- thing you are, literally using unique features of the user’s body as the second factor. These have taken the form of facial recognition, using the built-in camera in many mobile computers and other subscriber units today, and exotic (and expensive) solutions like retinal scanners. As we will discuss below, bioidentity is, we believe, the key to secure mobile computing and communications going forward. But minimizing cost, complexity, and potential inconven- ience must be paramount in any solution that is to have any likelihood of wide adoption and thus market success.
By far the most promising of any biometric technique is the use of a contemporary approach to a relatively ancient technology – fingerprint recognition. Dating to prehistoric times, fin- gerprints have been used for authentication and identification purposes, most commonly in criminal matters. Modern computer-based recognition techniques can have a false accept rate (FAR) of as low as .001%, and a false reject rate (FRR) of as low as .5%, meaning that it is very, very unlikely that two people attempting to authenticate through modern fingerprint rec- ognition technology (especially using the same scanner) will be identified as the same person or that an authorized user will be locked out due to problems with a specific fingerprint scan. With the significant reductions in cost-to-solution seen in recent years, enabling installation in cell phones and similar devices, fingerprint recognition will become, we believe, the preemi-
Fingerprint Recognition and Mobile Security