What’s next in mobile authentication?
November 14, 2011
Bill Goldbach is executive vice president at Confident Technologies
If you have ever tried logging into a mobile application or Web site from your smartphone or tablet, you know that typing passwords for authentication is at best clunky and, at worst, ineffective.
In fact, typing strong passwords on mobile devices is so cumbersome that some experts have ventured to say that until a new authentication scheme emerges for mobile, mobile commerce will be stunted.
At the 2011 CTIA conference, a panel of experts concluded that mobile authentication will be more revolutionary than mobile commerce transactions. Why? Because it has to.
Many businesses and software developers focus on how quickly they can get a mobile app to market,
but fail to seriously consider the authentication method used for logging-in or approving transactions.
Authentication for mobile apps and on mobile Web sites remains a source of great frustration for users.
Most consumers have too many passwords and PINs, are in a hurry to complete their mobile transactions quickly, and struggle to enter their passwords (consisting of upper and lowercase letters, numbers and symbols) on tiny keypads.
In fact, in a recent survey of smartphone users, about 60 percent said they wish there were an easier form of authentication for mobile apps.
Another poll, conducted by Harris Interactive, found that 84 percent of respondents have struggled with mobile transactions and 43 percent said a negative experience would cause them to abandon the mobile commerce transaction altogether.
Clearly, businesses and software developers should pay greater attention to authentication and its effect on the usability of mobile apps and mobile Web sites.
Security and fraud concerns are also slowing consumer adoption of mobile commerce and mobile banking. One of the panelists at the CTIA conference said, “although there are advancements in the space, there are things – such as losing a device or it being stolen – that will make users wary of keeping their credit card and other financial information on their handsets."
Malware and viruses targeting smartphones have proliferated rapidly, yet only 4 percent of consumers have security software installed on their mobile handsets. If consumers do not trust that their mobile applications or devices are secure, the future of mobile commerce is not bright.
User frustration and security concerns demonstrate that we cannot rely on the same, archaic password authentication schemes for mobile as we have done for PCs. Fortunately, many of the unique characteristics of smartphones and tablets – including touch screens, microphones and gyroscopes – make it so we do not need to.
So what is next in mobile authentication?
First and most important, any authentication method used on mobile devices should incorporate the use of one-time passwords or PINs, not static passwords.
Keystroke-logging malware is rampant and because most people do not install security software on their smartphones and tablets, cybercriminals easily infect the devices and capture usernames, passwords and PINs when the owner types them.
Furthermore, most people choose weak passwords, never change them and use the same ones on multiple accounts and applications. For these reasons, it is important that any authentication method used for mobile commerce or mobile payments should generate a unique, one-time password or PIN every time.
Image- or pattern-based authentication: The touch screen displays on smartphones and tablets lend themselves perfectly to pattern-based and image-based authentication techniques.
Rather than typing a password, a growing number of authentication methods ask the user to draw a pattern on the screen, touch a series of points on a picture, or tap different pictures to identify which ones match their secret authentication categories.
Such approaches are easier and faster for most mobile users. They are generally not susceptible to simple keyloggers and can be used as a way to generate one-time passwords.
Most interestingly, image-based authentication can also be used as a marketing channel by presenting the user with branded images during the authentication process.
One important point about these approaches, though, is that the user can leave fingerprints or streaks on the screen that would allow another person to decode the pattern or points used for authentication.
To prevent this, the authentication technology should display the pictures in different locations on the screen or regularly change the area where the user draws their pattern, so fingerprints and smudges are not in the same place every time.
Sensors are becoming ubiquitous features on smartphones. This, in turn, enables the owner’s biometrics and behaviors to become viable authentication methods.
For example, microphones can be used for voice recognition, cameras can be used for facial recognition, and even behaviors such as the rhythm and gate with which the person walks – sensed by the smartphone’s gyroscope and accelerometer – can be used for authentication.
Mobile authentication must be easy to use and highly secure in order for mobile commerce to grow.
Passwords are cumbersome and not secure, but fortunately the touch screens and sensors in most smartphones and tablets make it possible for new authentication methods to emerge, allowing consumers to securely conduct mobile transactions with just a few taps of secret images, the drawing of a pattern or the sound of their own voice.