Smartphone Biometrics Technology Proliferates but not Without Security Risks, Analyst Says
People will become as accustomed to facial recognition biometrics in the next five years as they are to fingerprint sensors in smartphones today, ABI Research analyst Dimitrios Pavlakis said on ABI’s "Biometrics: Opportunities and Vulnerabilities" webcast last week.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
But facial recognition has vulnerabilities that have to be overcome before the technology is an effective authentication method, Pavlakis said, citing problems with algorithms and poor data recovery. Pilot programs have been plagued by inaccuracies, including law enforcement instances where facial recognition evidence has pointed to innocent people, Pavlakis said. The issues are being addressed, as algorithms are “evolving quite rapidly,” Pavlakis said. New breakthroughs indicate it’s possible to obtain partial or whole images from reflective surfaces that mirror someone’s face, he said. The threat of terrorist activities will move the market “even faster,” he said.
Lightning and weather effects can affect facial recognition, a reason that cameras are classified for indoor or outdoor use, Pavlakis said. Security cameras can also be “tricked,” he said, by tilting the head “slightly to one side,” disrupting focal points so that the algorithm has trouble “finding a human face,” he said. Clothing and hair style can cover part of the face and interfere with facial recognition, he said. The biggest obstacle to facial recognition for authentication is data privacy, Pavlakis said. Still, he predicted widespread use of the technology within five years, driven by China and enterprise markets.
Fingerprint sensors for smartphones led the biometrics market with 214 million shipments in 2015, and 1.8 billion shipments are forecast by 2021, Pavlakis said. Demand is driven by the need for secure mobile payment transactions, he said. The growing market is drawing competition from new and existing market players hoping to “knock the big guys off the pedestal,” Pavlakis said.
Other biometric technologies are emerging, too. Pavlakis cited high-resolution optical sensors measuring 1,000 and 2,000 pixels per inch. Ultrasound, iris recognition, and face and voice recognition are emerging as solutions, with multimodal technologies expected to grow as well, he said. Disruptive technologies will bring more competition, leading to “volatile pricing fluctuations,” he said. The total market for biometric sensors will reach 4.3 billion shipments by 2021, he said.
As a new technology, biometrics are “more prone to attacks,” such as “spoofing” where fingerprints are presented to a device from latent prints left on other surfaces such as a glass or door, Pavlakis said. To combat spoofing attacks, the industry is deploying “liveness detection” to ensure there’s a live subject trying to access the device, he said. Another dangerous attack targeting biometric information leverages “basic social engineering combined with a malware app,” he said. The attacker launches a conversion action by providing a fake user interface. The smartphone user is deceived into using the biometric information for something that might initially seem harmless and swipes a finger for authentication. “But it’s a veiled attack” that converts a simple authentication “to something more complex” such as a change of credentials, Pavlakis said. The user thinks he’s accessing his banking account through authentication when the fake user interface is presented by the cyberattacker. Malware converts the credentials input “into something far more sinister,” transferring information to the cyberattacker instead, he said.
A replacement attack between a biometric vendor service app and a malware or rogue third-party app takes advantage of a phone’s “often-unprotected sensor application,” giving a cyber thief system privileges, Pavlakis said. Some vendors don’t secure their biometric sensors to the level they should, leaving them easy to bypass, he said. Very few sensors are locked, isolated or prevented from being accessed, he said. App stores have improved malware screening and seek-and-destroy capabilities over the past few years, but some cyber thieves “can still get control of the fingerprint sensor,” he said.
Biometric data storage is also a risk area, Pavlakis said. “Certain popular smartphones boasting fingerprint technology actually had huge design flaws when it came to storing biometric data security,” he said. Some OEMs used to store users’ biometric data in nonsecure files that any third-party app could easily access, he said. Companies are working on the problem and are hoping to rectify it within a year, he said. Other biometric data storage solutions are also in the works, he said.
Iris recognition is gaining traction and Pavlakis said to expect that technology to emerge in the next two or three years. It was only a few years ago that fingerprint sensors hit smartphones and now they’re “an almost indispensable aspect for flagship devices,” he said.
Looking ahead for biometric payments, Pavlakis sees three technologies emerging over time, with facial recognition next up. Some industry players are pushing for having smartphone users take selfies to complete a transaction, he said. Iris recognition continues to develop, he said. The third technology is heart rate biometrics, leveraging the convergence of wearables and heart-rate recognition, he said. Wearables are able to accommodate heart-rate sensing “to its full potential,” he said. If it’s done properly by manufacturers, the ability to use a smartwatch or wristband instead of a credit card or smartphone for mobile payments will justify the additional tech spend for consumers, he said.