Conventional mobile computing devices frequently provide biometric authentication functionality to a user, whereby a mobile computing device may cause the user to be authenticated based upon a biometric identifier for the user as opposed to a traditional username and password approach, thus obviating the need for manual input on behalf of the user. For instance, the mobile computing device may include a fingerprint scanner. The user of the mobile computing device may place a finger of the user (e.g., a thumb) on the fingerprint scanner, and the fingerprint scanner may generate a fingerprint scan of the finger. The mobile computing device may then encrypt the fingerprint scan and store the encrypted fingerprint scan in a secure memory location of the mobile computing device, thereby causing the fingerprint to be registered with the mobile computing device. Subsequently, when the user wishes to access an application on the mobile computing device, the user may place the finger on the fingerprint scanner. The fingerprint scanner generates a second fingerprint scan of the finger. The mobile computing device can then authenticate the user based upon the encrypted fingerprint scan and the second fingerprint scan. Responsive to authenticating the user, the mobile computing device can provide the user with access to the application.
Conventional mobile computing devices also include the ability to register multiple fingerprints. For example, a mobile computing device may register a left thumbprint of the user and a right thumbprint of the user. However, there is no requirement that fingerprints registered with the mobile computing device belong to the same user. As such, the ability to register multiple fingerprints has been leveraged by organizations to support biometric authentication for a plurality of users on the same mobile computing device. For instance, if the mobile computing device is to be used by a first user and a second user, the mobile computing device may register fingerprint scans for the first user and the second user. The mobile computing device (and hence applications loaded on the mobile computing device) may then be accessed by the first user when a fingerprint scan for the first user is provided to the mobile computing device. When the first user is not operating the mobile computing device, the mobile computing device may be accessed by the second user when a fingerprint scan for the second user is provided to the mobile computing device.
The conventional approach to biometric authentication on a shared mobile computing device suffers from various deficiencies as most mobile computing devices are intended to be operated by a single user and not a plurality of users. For security purposes, operating systems of mobile computing devices are configured only to generate binary responses (i.e., yes/no) during biometric authentication. Thus, while a mobile computing device can authenticate different users of the mobile computing device based on biometric identifiers, the mobile computing device cannot determine identities of the different users based solely on the biometric identifiers. Therefore, data and application access provided to the different users of the mobile computing device is the same, which is undesirable. Additionally, conventional approaches to biometric authentication in shared computing environments are undesirable in situations in which sensitive data is handled, such as a healthcare environment in which protected patient data may be inadvertently shared.