Last week's newsletter "RSA: Lessons learned," which was about taking another look at biometrics, drew some interesting responses. I especially liked the anonymous poster who wrote "No one can surreptitiously pick your pocket and steal your finger. Agreed. But any one can chop off your finger." Well, maybe not anyone, and you'd probably notice that it was happening (try looking up the definition of "surreptitious"!).
In looking at some older newsletters, though, I did come across another suggestion for replacing SecurID tokens -- SMS messages.
Back in the spring of 2009 I spoke with the folks from Sweden's Nordic Edge about their use of cellphones, SMS messages and One Time Passwords (OTP). The idea is that someone logs in with a username/password combination, then the OTP server sends an SMS message to their cellphone. Only by entering the code received in the SMS does the user gain access.
But how do you protect the phone?
Typically, phones are protected with PINs, usually a four digit number. Well, if passwords are easily broken how hard is it to use brute force to guess a PIN? There's only 10,000 possible combinations. (Even a four character, alpha only, password has more than 45,000 possibilities. Make it alphanumeric and there's more than a million and a half). What to do, what to do.
Maybe it's time to take another look at cellphone biometrics.
A few years ago that meant adding a fingerprint reader to the phone. But now that almost all smartphones are equipped with cameras, facial scan and iris scan are possible. In fact there's at least four biometric measurements we can implement on phones:
• Fingerprint recognition
• Face recognition
• Iris pattern recognition
• Voice recognition
As a recent article in TechBiometric noted: "Use and implementation of biometrics in cell phones is further enhanced by combining the technology with existing cell phone security arrangements. For instance, a cell phone user may have to authorize his mobile banking transactions through biometric recognition as well as using passwords and SMS codes."
So now the authentication ceremony becomes:
1. Person logs in with username/password
2. Server sends SMS message with code to user's phone
3. User activates phone with biometric and reads text
4. User inputs code to authentication app on PC
5. User is granted access
Is it 100% infallible? No, no method is. But it is better than either username/password alone or SecurID. And that's what we're aiming for right now.