Your mobile device is only as secure as your weakest authentication method. While biometric unlock options share a common goal — to allow users to verify their identity using personal physical characteristics — it’s important to understand which approach will provide the best protection for your device.
With the latest smartphones, users can choose from a range of biometric authentication options — including facial recognition and fingerprint scanning — to unlock their device. These authentication technologies continue to improve, with more sophisticated sensors and algorithms reducing false acceptance rates (FAR) and blocking attempts at hacking. That said, biometric options must also account for user convenience and environmental considerations, such as whether users regularly wear gloves or face masks.
The latest phones in Samsung’s lineup, including the new Galaxy S21 series, feature an ultrasonic, in-display fingerprint sensor, which creates a 3D image of your fingerprint — and it’s more secure and accurate than traditional capacitive fingerprint readers.
Here’s a quick rundown of authentication best practices, the biometric authentication options available today and how their security compares.
Why you need a strong password even with biometrics
Before digging into biometrics, it’s vital to note the role of traditional device unlock methods, like passwords, patterns and PINs. When you first get your phone out of the box, you should set a password, PIN or pattern to protect your device. Then, you can choose to add a biometric authentication option, which you can use as a more convenient way to access your mobile device instead of manually entering your code every time.
However, keep in mind that if someone were to learn your password, pattern or PIN, they could use it to unlock your phone, delete your biometric identification and add their own. Having biometrics on your device doesn’t replace the need for a traditional authentication method — it just gives you the convenience of not having to enter your password, pattern or PIN every time you sign in. That frees you up to set an extra-strong password, since you won’t need to input it constantly.
But this raises the question: Which is the best traditional authentication method for your needs?
Password, pattern or PIN?
Passwords are the most ubiquitous form of authentication for a reason. A strong password should consist of 8 or more letters, numbers and symbols and include at least one uppercase letter in the sequence. While this complexity may prove difficult to remember, it affords far more possible combinations, making it more difficult to crack.
PINs are essentially a weaker version of passwords, since they only consist of numbers. A strong PIN should also be lengthy — at least 8 digits. Some users prefer PINs because they are faster to enter on the phone’s keypad, but it’s typically easier to remember long passwords than long strings of numbers.
Pattern-based authentication is often considered an evolved form of PINs. It eliminates numbers and replaces them with a connected pattern set by the user. You can unlock your phone by drawing this pattern on the screen with your finger. Patterns are definitely the most convenient option, but they are also the weakest option for authentication, as they further reduce the potential combination of digits and can be guessed by someone observing you unlock your phone or even by the smudge marks left behind by your finger after swiping the pattern.
Regardless of which method you choose to employ, make sure you follow best practices to ensure you create a strong password, pattern or PIN. You should always avoid using the same password for multiple accounts, setting a PIN that’s associated with a birthday or familiar sequence of numbers, and dragging a pattern in front of others who can easily memorize it.
Once you’ve settled on and established a strong last line of defense, you can build on top of that foundation with biometrics. With that in place, it’s time to evaluate the security, complexity and ease of access provided by the biometric authentication methods available today.
Facial recognition
Fast, easy and convenient, facial recognition is a great option for consumers and many business users. With facial recognition, unlocking your device is almost instantaneous. Your device just needs to be angled toward your face.
But facial recognition does come with security limitations. If the facial recognition software doesn’t map the user’s face in three dimensions, authentication could be spoofed with a photo of the user. Even sophisticated facial recognition technologies have a higher FAR than the advanced fingerprint authentication options discussed below.
What’s more, facial recognition can be prone to false negatives, caused by glasses, makeup or just different ambient lighting. For stronger security, organizations handling sensitive data should consider fingerprint scanning.
Capacitive fingerprint sensors
The first biometric authentication method to appear on mainstream smartphones, capacitive fingerprint scanning is fast and provides low FARs. Unlike early optical scanners, which would essentially take a “photo” of a user’s fingerprint, capacitive scanners detect the ridges of your fingerprint as it touches a conductive plate. Capacitive fingerprint scanners won’t be fooled by a 2D copy of your fingerprint. There have been reports of sophisticated 3D replicas fooling capacitive sensors, but this risk is minimal for most businesses.
Capacitive fingerprint scanners are a good choice for most enterprises, as long as users don’t typically wear gloves (like some field workers do).
Ultrasonic fingerprint ID
Introduced first on Samsung’s Galaxy S10 and S10+, ultrasonic fingerprint ID is a new type of fingerprint sensor that uses ultrasonic waves to create a 3D image of your fingertip. An ultrasonic sensor is much harder to fool, as the scanner doesn’t just reference your fingerprint’s pattern but also the exact contours of the ridges, notches and abnormalities. This upgrade is also backed by Samsung’s machine learning algorithm, which helps detect the differences between real fingerprints and forged 3D replicas.
The mobile security top 10
Get your free guide to better securing the personal and work data on your mobile phone. Download Now
The other major advantage of ultrasonic fingerprint ID is that the sensor operates through the display. This means the sensor is always within easy reach of the user’s thumb, without sacrificing screen real estate. Just be sure that when you register your fingerprints you don’t have a screen protector on your phone, as this can interfere with the ultrasonic sensor. And when you do add a screen protector, make sure you choose one that’s compatible with ultrasonic fingerprint ID.
Bottom line: Ultrasonic fingerprint ID provides significant improvements in both security and usability, making it an excellent authentication option for business devices.
Securing data with Samsung Pass
When it comes to leveraging biometrics, unlocking your device with your fingerprint is just the beginning. You can also use biometrics to replace your account passwords or authenticate to data separation solutions.
One convenient way to do this on Galaxy smartphones is with Samsung Pass, which lets users replace their IDs and passwords while browsing the web using Samsung Internet, as well as on supported apps. With Galaxy devices, you also get Samsung’s Secure Folder, which makes use of the devices’ hardware-partitioned security capabilities, as well as Samsung’s cloud security system. With biometric authentication supported by Samsung Pass and Secure Folder, you can rest assured that the sensitive data and personal information you store and share on your phone will stay completely secure — wherever your work takes you.
No matter what kind of work you do, you probably have to store and share some sensitive information. Find out how you can secure your work data — and your personal data — with our comprehensive guide to business mobile security. And if you ever use your personal phone for work purposes, make sure you’re keeping your two data streams separately secure.