The quarterly publication of the International Legal Technology Association
Issue link: http://read.uberflip.com/i/657874
42 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2016 EXTRAS Authenticate with Biometrics With today's increasingly mobile-enabled workforce, receiving second- factor authentication tokens by SMS (text message) or by mobile app is becoming completely ineffective. Is it time to bring back physical second- factor authentication tokens? Or is it time to move on to a biometric option? by Ilya Dreytser of Mobile Helix, Inc. Authenticate with Biometrics Consider the three most popular methods of second-factor authentication delivery. A code can be: 1. Sent by SMS 2. Appear on a mobile app 3. Appear on a physical token Second-factor authentication solutions based on mobile apps and SMS work well and are much cheaper and easier to manage than physical tokens. However, as email and access to firm resources become available from a phone or tablet, sending the second-factor authentication code to the same mobile device it is intended to protect no longer provides any additional protection at all. Physical tokens are becoming relevant again, but they are more expensive to deploy and manage, and they can easily be lost or even stolen. That's why it's time to consider biometric solutions. The fingerprint and password/PIN combo covers three authentication methods: 1. Something you know (your password or PIN) 2. Something you have (your mobile device or a physical token) 3. Something you are (your biometrics) Fingerprints are also much faster to input than long, complex passwords, so you could ask users to enter a fingerprint every time they access firm data with lile objection. No authentication methods are completely secure. The physical token can be compromised, as we saw with RSA in 2011. Mobile device PINs can be shared, guessed or hacked. Fingerprint readers or the OS soware can have exploitable security flaws as well. However, these risks pale compared to sending a second-factor authentication code via SMS or mobile app to the very device that has been compromised or stolen. P2P