Authentication methods beyond passwords have been around for some time, and this year’s Mobile World Congress was the place for some interesting companies to present their novelties in this area. At the end of the day, authentication always comes down to a matter of something the user knows (a password), something the user has (a wearable or any other item) or something the user is (any measurable biometric parameter).
There is little to be invented in the area of “something the user knows”, it all comes down to passwords, pin codes, gestures, patterns and similar variations.
In the area of “something the user has”, FusionPipe (1) presented a platform based on wearables that can unlock terminals in proximity via Bluetooth or NFC, useful in specialized environments like hospitals, where physical contact with keyboards is undesirable.
A completely different approach, aimed at the general public, makes authentication rely on the possession of a mobile phone, or more precisely, a SIM card. This is what the Mobile Connect (2) system is about, an initiative sponsored by the GSMA. Using this system, you can authenticate yourself on a website or app (via Oauth2/OpenID) by receiving an alert on your phone (via SIM features, no extra app installation required), and confirming the access from the phone. Your mobile phone number becomes your identity in this system, just like your email is your identity in Google+.
Intercede (3) presented a more ambitious approach, providing a platform for the storage of user certificates in the mobile phone and a variety of access methods. The mobile storage can be protected by any other means (biometric, password…) and can be used to authenticate the user on external websites supporting the platform. For example, a website could display a QR code that the user would scan with his smartphone to grant themselves access, without inputting their credentials anywhere else other than their own phone. Useful when using a public computer for example, to see your bank account without risking to expose your credentials on a public device.
The area of “something the user is” is synonymous with biometrics. There were a range of solutions in this field available at the congress. DDS Inc. (4) is a Japanese company that distributes a portable key ring with fingerprint reader and Bluetooth connectivity (ideal for those devices which lack fingerprint reader). They were not the only company bringing fingerprint readers to the show, though.
The main problem with fingerprint recognition is the abundance of devices that do not ship an integrated reader. Using a separate device just for authentication is probably a big hassle for most users, which is why the approach other companies had taken is also interesting, based on a device all smartphones carry: the camera.
Facial recognition using 3D techniques (to avoid someone using your Facebook profile picture to gain access to your phone) is the proposal of Swiss OneVisage (5) and Spanish FaceOn (6). They both ship an SDK that can be embedded into your app which enables face recognition as a replacement for traditional login within applications where it is more suitable.
In addition, we found EyeVerify (7) who specializes in eye recognition. With retinal scanners potentially being too invasive for normal users, EyeVerify is based on the external eye patterns (eyebrows, iris, eyelids, …) that are unique among different people, and can be recognized simply with your smartphone camera.
In summary, there are plenty of options beyond traditional, boring and easy-to-steal passwords. The maximum level of security often comes at the cost of usability and comfort. A combination of factors is usually safer than any system alone, but the choice of which mechanisms to adopt completely depends on the application and use case.
Solutions Architect, DMI International