Passwords are passé. In five years, iris recognition and facial dimensions could be common sign-on techniques for mobile devices. That's the outlook for biometrics in the age of powerful mobile devices, according to identity solution provider MorphoTrust USA.

Mark DiFraia, senior director for solution strategy at the company, told CMSWire this week that "mobile devices have matured to the point where they can handle more than one mode of biometrics," primarily because of the capabilities of the cameras and the processors.

Iris Most Accurate

Adding biometrics as a common identifier for mobile devices, he said, is more a matter of software than hardware. He noted that his company "has working software [for mobile devices] that is doing facial matching but not yet iris-matching," using a platform that could be used for more than one kind of biometrics.

He pointed to four main biometrics as being the leading contenders for common use-- fingerprint, already present in early-stage fingerprint sensors in the iPhone 5S and Samsung S5 handsets, iris recognition, skin texture recognition and facial structure matching.

"The most accurate has always been iris," DiFraia told us, "with facial matching a close second."

Fingerprints, he said, are "one of the least reliable," because of high error rates due to similarities between individual prints. But fingerprints are common, he said, because of their decades-long use in law enforcement.

Another factor driving adoption of password-less logons, DiFraia said, is The FIDO Alliance that intends to "change the nature of online authentication" through biometrics and other approaches. Member organizations include the Bank of America, ARM, BlackBerry, Google, Lenovo, Mastercard, Samsung and Microsoft.

Learning Opportunities

NIST, 'Liveness'

And there's the National Strategy for Trusted Identities in Cyberspace, an initiative from the National Institute of Standards and Technology (NIST) to create a more secure Identity Ecosystem – again with biometrics as a key identifying factor.

DiFraia pointed out that the near-panic surrounding the recent Heartbleed security vulnerability, which exposed millions of logons to hacker theft, could have been mitigated if biometrics had been used instead of passwords.

Most biometric-reading systems, he said, "test for liveness," meaning that they need to see live input from an iris scan or a fingerprint reading. The data string generated from the live scan is then matched to the stored string, resulting in authentication -- but the stored one itself is only used as a match, not a key. In other words, it's not a password that can be used to logon elsewhere.

"If you're somebody worried about a data breach," DiFraia said, "biometrics should be your best friend."

Image from MorphoTrust USA.