Biometrics are definitely better than passwords when it comes to security, but they aren't fool-proof. Here are the three main reasons biometrics aren't secure.
The next time you log into your bank account to pay a bill, instead of entering your password, you might have to take a picture of your eye to gain access. Welcome to the world of biometric authentication, where your eyes, ears, and fingerprints are the access code to prove individual identity. Biometric technology will become commonplace sooner rather than later.
Bank of America recently started piloting a biometric system from Samsung that scans the iris to determine person identity. They’re not the only company using biometrics. Wells Fargo and British bank TSB are working on iris scanning for mobile banking as well.
Since Apple introduced biometric identification with the iPhone fingerprint sensor in 2013, businesses have been exploring the technology as a way to finally thwart fraud and remedy widespread cybersecurity problems. But are biometrics really that secure or are organizations opening up a can of worms that can cause more problems?
What Are Biometrics?
Biometric identification is a technology that identifies and authenticates individuals based on physical characteristics. A biometric identification system includes fingerprint identification, iris and retina, facial recognition, gait, or voice. The biometrics market is growing as the technology is being hailed as the new generation of defense for law enforcement against hackers. The biometric market is expected to be worth $32.7 billion by 2022.
Consumer acceptance is helping drive growth. According to a poll by Veridium, 52 percent of consumers want biometrics to replace passwords, and 80 percent believe it’s more secure than passwords. About 40 percent are already using fingerprint reader technology.
Benefits of the technology include:
- It’s faster and more convenient for users (no need to remember passwords)
- Strong authentication since biological characteristics are distinct
- Eliminates friction associated with traditional security measures
- Biometric servers usually require less database memory
Despite the benefits, some flaws still must be addressed. Here are three major issues facing biometric security.
1. Biometrics aren’t private
Biometrics seem secure on the surface. After all, you’re the only one with your ears, eyes, and fingerprint. But that doesn’t necessarily make it more secure than passwords. A password is inherently private because you are the only one who knows it. Of course hackers can acquire it by brute force attacks or phishing, but generally, people can’t access it. On the other hand, biometrics are inherently public.
Think about it: your ears, eyes, and face are exposed. You reveal your eyes whenever you look at things. With fingerprint recognition you leave fingerprints everywhere you go. With voice recognition, someone is recording your voice. Essentially, there’s easy access to all these identifiers.
Your image is stored in more places than you realize. Not only does Facebook recognize your face, but every store you visit records and saves your image in its database to identify you and analyze your buying habits. In fact, it’s legal in 48 states to use software to identify you using images taken without your consent for commercial purposes. And law enforcement agencies nationwide can store your image without consent.
The problem is identity management and security. Personal identifiable information (PII) needs to have access control in place to protect from identity theft. All it takes is for a hacker to breach any of those databases to leak and steal your biometric identification.
2. Biometrics are Hackable
Once a hacker has a picture of someone’s ear, eye, or finger, they can easily gain access to their accounts. While Apple’s TouchID was widely accepted as a biometric advancement, famous hacker Jan Krissler was able to beat the technology just a day after the iPhone was released. Likewise, researchers from the Chaos Computer Club created fake fingers to unlock iPhones.
Krissler showed how easy it is to steal a public figure’s identification when he recreated German Minister of Defense Ursula von der Leyen’s fingerprint. The hacker obtained high-resolution photos of the politician’s thumb from press conferences and reconstructed the thumbprint using VeriFinger software.
If you think an eye scan may be more secure, think again. Hackers fooled the Samsung S8 iris recognition system by placing a contact lens over a photo of a user’s eye. And it wasn’t a high-priced hack either. The S8 phone was the most expensive purchase of the hack project.
3. Biometrics Hacks may have Greater Consequences
Since a biometric reveals part of a user’s identity, if stolen, it can be used to falsify legal documents, passports, or criminal records, which can do more damage than a stolen credit card number.
The Office of Personnel Management breach in 2015 compromised 5.6 million people’s fingerprints. And unlike passwords, credit cards, or other records, you can’t replace physical identifiers. If someone has photos of your iris, you can’t get another eye.
Biometric companies are aware of these flaws in the technology and should aim to improve identification. There are some ways to deter inherent downfalls of biometrics like requiring more than one fingerprint scan to improve accuracy. Bank of America said its iris scan will be a part of multi-factor authentication instead of the sole way to access accounts.
Biometrics may be the security measure of the future, but it isn’t time to discard your passwords yet. Biometrics provide another level of security, but it’s not foolproof.
(This blog post originally appeared on Defrag This by Ipswitch)