Often I meet and hear people extolling the virtues of Biometric Authentication and how easy, secure and foolproof it is. It’s easy on the user, but is it really cut out for heavy-duty security – to lock your homes and bank accounts?
What is Biometrics?
The terms Biometrics refers to metrics related to human characteristics. These include – fingerprints, retina scans, face recognition, voice and more.
For a Biometric lock system to work, the system needs to capture your biometric information and store it first. This stored data is used on subsequent unlock requests to validate that it is indeed you who is trying to access the system. Of course, it seems super easy to use, when it works – like unlocking your phone or front door using your face or fingerprints.
Why not Biometrics?
Biometric data like fingerprints, your face, voice and eye scans are not private .
Your password or PIN to access a site or access your account to withdraw money are known only to you. Unless you share this information or this information is stolen, no one can access your data. The usual way cybercriminals get your password is because a lot of us reuse the same password across multiple sites. Now if one site is hacked, the criminals use your stolen password to try gain access to your account other sites – an attack called Credential Stuffing.
This is not the case with your biometrics if you use that as your primary method of accessing a system. Would it surprise you if I told you that your biometric data is not private at all? Let’s see why.
Anything I touch leaves my fingerprints behind. We’ve all seen those spy and bank heist movies where they lift fingerprints from water glasses or cups and use that to impersonate a person and gain access to their accounts or data.
It may be harder to fool the new generation of fingerprint scanners which are more sophisticated, but not impossible. Hackers have even been able to duplicate fingerprints using high-resolution photos of people taken in public – way back in 2014. Now if someone has a high-resolution mobile photo of you with your hands held out, hackers can clone your fingerprints – not too hard with those 48 Megapixel phone cameras.
We all use face unlock to access our phones these days. But all facial recognition scanners are not made equal. Cheaper facial scanners are easily fooled with photos while the advanced ones which scan your face with infrared light and look at your 3D facial contours as well. Again like fingerprints, it’s not foolproof – people have gone to the extent of making 3D masks to bypass face recognition. Even Iris scanners, which scan characteristics of your eyes have been fooled by an artificial eye which was created using a printer and a contact lens.
Photos which you, your family and friends have uploaded to social media or captures from security cameras you’ve passed can be used against you.
This method was gaining popularity a little while back but didn’t get too much traction is the method of using your “Voice Print” for authentication. This method used voice comparison to compare a voice signature against a set of pre-recorded samples to find a match. This again is not that hard to bypass if someone got access to your voice recording and can stitch up words you say into the right phrase.
These days, artificial intelligence can be used to create a speech which sounds like you but was generated by a computer. Not sure if this would bypass voice locks, but it does sound plausible given the accuracy of AI speech generation systems these days.
Reset Stolen Credentials?
Now comes the interesting part: what happens when your biometric data is hacked? Unlike a password which you can reset, you can’t grow a new fingerprint or face. There’s no way to reset your biometric data on these systems, so there’s no recourse when criminals do manage to somehow gain access to your accounts.
What do I do now?
Now would you use only Biometrics to protect your data and money? I certainly wouldn’t want to do that. Biometrics can be used as a secondary method to verify your account along with passwords or hardware security keys. For now, I’d suggest boosting up your primary security than depend only on biometrics.