<img alt="" src="https://secure.hook6vein.com/218483.png" style="display:none;">

BIO-key Blog

Read below for news, insights, and discussion on identity and access management.

Supporting Mobile App Biometric Authentication: BIO-key MobileAuth

by BIO-key Team

smart phone authentication mfa

If you have a smartphone, you bring it everywhere with you: to work, social gatherings, and even carry it around your home. As the smartphone evolved, it began to play bigger role in everyday life, serving as far more than simply a device to make calls and send texts. Today, in tandem with advancement in the cybersecurity world, our phones are also now authentication devices to facilitate the multi-factor authentication process.

We are, however, still in the early stages of mobile app authentication. Traditional mobile authenticators cannot verify you as the user with 100% accuracy, and device-based biometrics - such as Apple Face ID or Touch ID - only verify the credentials for an approved device, not the actual identity of the person taking action. Furthermore, since most mobile authenticators use one-time passcodes (OTPs), there is a chance for threat actors to intercept it and attempt to authenticate.  

Insider threats can also be a concern with employees either purposefully or accidentally sending confidential information to clients or customers. For example, a customer can mistakenly receive another customer's information unintentionally, or employees may fall for a phishing attack. These scenarios push for a need for Identity-Bound Biometrics, a powerful form of MFA that identifies users with the highest levels of integrity, security, availability, and accuracy to be implemented in a mobile authenticator, so users can verify themselves for who they say they are.  

Adding biometrics to a mobile authenticator is the next step in adding high-level security measures to a convenient authentication method. How do mobile authenticators enable biometric authentication?  

What's the Problem with Traditional Mobile Authenticators?  

Mobile authenticators are being used as part of the multi-factor authentication process because of their ease of use and security. Most users logging into a service tend to have their smartphone on hand, so accessing their second form of authentication is a convenient option. Additionally, because the original user will most likely have their device at the time of login, this process becomes more secure than a relying on a single factor method of authentication.  

As many logins that use MFA today, after a user successfully enters their username and password, they're required to enter the 6-digit code from their mobile authenticator application. Common mobile authenticator applications like Google Authenticator or Microsoft Authenticator send a 6-digit one-time passcode (OTP) to the user's phone which is used as a second form of the multi-factor authentication process.  

Where biometrics can play a role is after the first step in the login process. Instead of entering a 6-digit code from a mobile authenticator, users scan their palm or their face to securely authenticate themselves and the login process will be complete.  

While mobile authenticators are easy to use and are especially handy, there are instances today where threat actors can steal a phone or obtain the one-time passcode - meaning they take control of the user authentication process.  

With biometric verification embedded in the mobile authenticator, it's almost impossible for these scenarios to occur. How do you combine the convenience of using a mobile phone with the security to safeguard access to critical data? Keep reading to learn about our one-of-a-kind solution: BIO-key MobileAuth.  

What is BIO-key MobileAuth?  

BIO-key MobileAuth is a multi-factor authentication app that brings the power of Identity-Bound Biometrics (IBB) to any mobile device, helping to lower costs and provide greater levels of security and flexibility compared to traditional MFA methods.  

What Authentication Methods Does BIO-key MobileAuth Offer?  

Authentication methods fall under one of three categories - "who you are" like Identity-Bound Biometrics, "what you have" like a hardware token or a device-based biometric, and "what you know" like remembering a password. MobileAuth falls under the category that verifies "who you are," which verifies the actual person taking action. Unlike passwords or physical tokens, IBB cannot be forgotten, shared, stolen or forged.  

MobileAuth secures access to critical data with Identity-Bound Biometrics using either facial recognition (FacePositive) or palm scanning (PalmPositive).  

MobileAuth can also utilize the device-embedded biometric options that are already integrated into a user's phone like Apple TouchID or FaceID, or Android Biometrics. Users can additionally opt for the Push Token method, which simplifies the authentication process by verifying the user with a "confirm/deny" notification from their phone's home screen. While this option does not use Identity-Bound Biometrics, our ultimate goal is to provide a secure, flexibly security solution for a wide range of use cases - and the Push Token functionality is a key part of achieving that goal.  

Stronger Security  

For one, MobileAuth has increased security levels due to its better encryption and session management. Because it's embedded with IBB, MobileAuth authenticates you, the user, not the device you're using. This eliminates the concern of a single point of failure, which, in turn, significantly reduces your vulnerability to a cyber attack. You may be asking, "how can MobileAuth accurately identify the correct, authorized user?” It has a built-in liveness detection that prevents imposters from using photos of your palm or fake models of your hand. Unlike other modalities, Identity-Bound Biometrics cannot be forgotten, shared, exchanged, stolen, nor forged, because you and your biometric data are the credentials. That means no one can log in for you, or as you.  

Reduced Cost  

For many businesses, implementing a new multi-factor authentication solution may seem costly, but MobileAuth eliminates the cost that is associated with using traditional authentication methods. Organizations can download MobileAuth on their own smartphone and experience the power of Identity-Bound Biometrics. If all your users download MobileAuth, organizations have a low TCO for large-scale deployments.  

Additionally, MobileAuth requires not additional hardware, such as hardware tokens, which can be costly. Each security device has its own cost which, on their own, may not be expensive, but the cost adds up when replacement and backup tokens become necessary. 

Lastly, using MobileAuth allows businesses to consolidate multiple authentication methods all under one solution. Instead of relying on many different vendors for a single method, MobileAuth hosts a variety of authentication methods under a single cost.  

Greater Flexibility  

No matter if your user is an employee, customer, or a supplier, they should have an authentication method that is secure, easy to use and fits the needs of their role in the organization.  

While all methods under MobileAuth are easy to use and are highly intuitive, those who have experience using biometrics will feel right at home using the IBB modalities like FacePositive and PalmPositive. On the other hand, users who want a faster or more convenient solution can use the Push Token option.  

When it comes to the specific method of authentication - from IBB options like FacePositive and PalmPositive to the convenient Push Token - there is something for everyone, all providing a consistent, seamless user experience across a large range of use cases.  

Experience MobileAuth  

You may need a different modality of access today - in a different place - than you did yesterday. Your team may be scattered or traveling. Your business operations cannot afford to be bound by changing external variables, and it's time security solutions acknowledge that.  

We believe that people should be the center of security, with flexible authentication options to match specific user preferences, needs and requirements. BIO-key MobileAuth offers Identity-Bound Biometrics across multiple authentication methods that verifies the user with 100% accuracy. If your scenario calls for a different modality, our mobile app caters to your exact needs with Push Token and local biometrics options. No matter which authentication you prefer, MobileAuth delivers an affordable, secure, and user-friendly experience.  

We're breaking the mould of traditional authentication, creating a security solution of the utmost security integrity that's flexible enough to work for anyone. Think MobileAuth could be right for your organization? Learn more about it here. 

BIO-key Team

Author: BIO-key Team

Subscribe to the BIO-key blog!

Recent Posts