- Use multiple biometric modalities (e.g. face and voice) for verification
- Store biometrics securely on the phone
- Use a given phone as a second factor of authentication
By combining the phone and collected biometrics, we have a powerful two-factor authentication system. An attacker would need to steal the phone as well as build a biometric spoofing system. Given how dependent users are on their mobile phones, they would quickly detect that their phone is missing should an attacker steal it. Compare this to passwords where users are usually unaware of their password being stolen.
Next, by using multiple biometrics, the system can switch between biometric modalities to raise the difficulty for an attacker. For example, if the system collected face and voice biometrics, when the user wants access, it may randomly select one or both modalities to use. It can even adapt based on the risk profile of the authentication. Failure on one biometric may cause it to use the other. An attacker now not only has to steal the phone without detection, she also needs to build two distinct spoofing systems. Of course, there are simple techniques such as liveness to detect spoofing, as well as active research in academia on how to algorithmically detect spoofing, so we can have confidence that spoofing will become progressively more difficult.
The use of multiple biometrics also deals with the false reject problem neatly. If a user fails authentication on one modality, they can usually succeed by trying again. If that fails, they can then try gaining access using the second modality. Since biometric systems are designed to have very low false reject rates, the probability of sequential false rejects across multiple modalities is infinitesimally small.
Such a system can be made highly secure with this design, but what about user privacy? I think Apple presents a very viable model on how to treat user biometrics. It stores biometrics securely on the device, in the Secure Enclave. The mobile app using biometrics should only store the user's biometrics on the device, and under the highest security storage mode available. This way, biometrics can be protected from unauthorized access. In addition, they should be deleted when the mobile application is deleted. This gives users assurance that they are in full control of their data.
It is my belief that the promise of general-purpose password-free authentication systems, especially for enterprise authentication, will be fulfilled by mobile-based multi-biometric systems. Given the state of password authentication, their arrival will not be a moment too soon.