Entitled “Mobile Biometric Authentication: Pros and Cons of Server and Device-Based”, the paper takes the position that there are advantages and disadvantages to both approaches, and that in some cases one is more appropriate than the other. Aware’s paper does arrive at a pretty definitive conclusion, however: The server-based approach is probably better for organizers looking for more control over mobile authentication and the attendant biometric data, while a device-based approach is better for organizations that are mostly focused on preventing major data breaches. But there’s a whole range of subtle considerations beyond those broad conclusions.
For example, Aware’s paper argues that device-based approaches are better at fending off so-called ‘Man in the Middle’ attacks aimed at intercepting valuable data as it is transmitted. Server-based approaches, meanwhile, can better facilitate authentication through multiple devices, and they allow for centralized storage that can be protected with focused perimeter defenses. Of course, on that same note, device-based approaches better facilitate scalability, since the processing and storage of biometric data is done across a whole range of devices, and doesn’t all need to be handled by one central authority.
There’s plenty more detail in Aware’s full paper, which can be accessed through the company’s website. For those who just want a simple answer about which approach is best: There isn’t one. The digital security landscape is more complex than it has ever been, and that’s why more elaborate guidance like the kind offered in Aware’s report is so valuable.