Mark my words: biometrics will soon emerge as the Next Big Thing in mobile information security. Here's why:
- More people on the planet own a mobile phone than own a toothbrush.
- By their very definition as "phones," 100% of these devices are voice-capable.
- Approximately, 80% of them contain a built-in camera.
- Last year was the first that more smartphones were sold than all types of personal computers (desktops, laptops, netbooks and tablets) added together.
What this tells me is that tons of people have devices that can "hear" spoken words and take pictures of faces, and that these devices are selling more briskly than conventional computing platforms. Dt's an opportunity waiting to happen, don't you think?
I think so too.
It is more than a decade since we were first able to install software on our computers that allows us to "type" and otherwise control our units using voice commands, and this same capability was available on smartphones years before Apple unveiled Siri 12 months ago and firmly planted the concept in the mainstream.
And then, just this spring, Samsung launched its Galaxy S III and made note of its voice and face recognition capabilities. While these are not sophisticated enough to be used for true biometric security, it is interesting that the "face" part has progressed far enough in this commodity context to be able to track eyeball movement in order to keep the phone from going to sleep (such as when the phone is stationary while you watch a movie).
Given how recent these high-profile consumer developments are, it seems we are only a short step away from enabling smart devices to capture the patterns of our voices and faces, compare those patterns to versions that we stored ahead of time and then grant (or deny) us enterprise access according to a preassigned confidence threshold that, when met, says we are whom we purport to be.
The reasons to travel this route are many and operate on many different levels. Perhaps the most obvious have to do with the fact that it's quite difficult to spoof a voice and even tougher to fake a face! It's also impossible to forget your voice or leave your face at home, so the credentials needed to authenticate and authorize you are always available.
A related advantage is the fact that establishing your voice as your access control mechanism means you can use catchphrases and not just alphanumerics and symbols as passwords. Besides being easier to remember, they promise to remain secure even if they become known by third parties since your voiceprint likely doesn't look like theirs.
The ability to require that both your voice and face be recognized before you can gain access also means you can double up on the layers of protection provided and do so via a single device, thereby, enhancing usability. It also means that you can simultaneously secure not only your organization's internal information—the need that may well have led you down this path in the first place—but also the device itself, taking to the next level such current techniques as entering a PIN or tracing a pattern on the screen.
Compelling though these reasons may be, there are certainly issues still to be wrestled with before mobile device-based biometric security becomes commonplace. Here, the most obvious may be that a case of laryngitis or the growing or shaving of a beard may derail the recognition process, so today's more conventional layers of security may still be needed.
In addition, the horsepower and memory required to process a voiceprint and facial image, and to compare them to a stored template, is not insignificant and may be too much for many devices to handle for some time to come. Accommodating such loads is a much lesser issue on the back end, of course, and is well within the reach of existing technology. So the challenge is how best to leverage the individual strengths of each to make sure the capability runs smoothly.
In terms of information architecture and infrastructure management, this may mean requiring only the lower overhead voice portion—perhaps handleable by the device—to access less sensitive information, where a lower level of security is acceptable. Or it may lead to the use of facial recognition only where sufficient bandwidth exists to efficiently transfer the recognition data back and forth. Or it may necessitate the splitting of the processing load between the mobile device and the enterprise database in a more typical client/server style.
However it happens, it is pretty clear to me that this is going to happen, and probably will happen soon. The numbers suggest that a critical mass of suitably equipped potential users may shortly be in place, if it isn't already, and the need for it becomes more acute every time a new knowledge worker needs access from the road.
So mark my words: biometrics will emerge as the Next Big Thing in mobile information security. Don't you think?
I think so too.
STEVE WEISSMAN is a consultant and best practices instructor in process and information management. President of the AIIM New England Chapter and a Certified Information Professional, he is principal consultant at Holly Group, where he enables clients to work better and work better together, and to derive Maximum Total Value from their information technologies. For more, email firstname.lastname@example.org.