In an age of growing mobile security concerns, IT teams and administrators are turning to security measures such as biometrics to better protect enterprise devices. By integrating biometric authentication requirements into corporate-owned devices, organizations can add an extra level of protection and leverage data that is nearly impossible to duplicate. This, combined with its use of hardware-based security measures and data encryption, make it ideal for providing role-based access and customized security clearance in today’s enterprise.

Additionally, biometric authentication technology makes it easier for employees to safely access documents, since they don’t consistently need to reset or remember lengthy passwords. But how exactly do all of the elements of biometrics come together to provide a heightened security offering?

How Biometrics Work

The first step to both understanding and implementing biometrics is having a standardized service that can work across various Android applications, such as a Trusted Execution Environment (TEE). Within Android’s v6.0 Compatibility Definition, there are two notable requirements on integrating this hardware-based measure:

  • Smartphone vendors must use a TEE for matching fingerprints.

  • Fingerprints must be encrypted and signed and stored in such a way that they can’t be exported (or read) outside of the TEE.

In platforms such as the Samsung Pass SDK, encryption stores data within the TEE and it never leaves the device. A public/private key pair is “locked up” with biometric data, and the fingerprint is used to unlock the keys implemented by the smartphone and Samsung Pass, to authenticate to the remote application and access.

Samsung’s smartphones can also link the fingerprint sensor on the smartphone directly to cloud services and enterprise applications that support the FIDO Alliance’s U2F (Universal 2 Factor) standard, such as Dropbox, Facebook, Paypal, Salesforce and GitHub.

Advancing and Evaluating Biometric Technology

Of course, fingerprints are only the first biometric that came to smartphones. Recently, vendors such as Samsung have moved to use other biometrics such as iris scanning to devices.

For iris scanning, Samsung’s smartphones make use of a separate infrared camera and “flash” for the iris that is only connected to the TrustZone-based TEE. This eliminates the possibility that non-trusted software can grab an iris scan. The scans are processed by a trusted application in the TEE, and only the processed hash of the scan is stored, eliminating the possibility that the raw data (or hash) can be extracted by any software running outside of the TEE.

Addressing Standards

IT managers should carefully evaluate biometrics on Android smartphones when choosing vendors and technologies. This will help reduce the risk of introducing the kinds of security vulnerabilities that came with the initial implementations of fingerprint readers.

When enabling biometrics such as iris scanning, look for a clear statement from the hardware vendor on how the data are stored and verified. Data should be stored in an encrypted or hashed format eliminating the possibility of decryption, even by privileged applications.

Android devices should make use of specialized hardware and TEE with live biometric data, to ensure that malware can’t tamper with the data or interfere with the process, creating safer options for enterprises interested in the technology.

See how you can leverage biometrics within your organization.