Biometrics Measure Up

How Biometrics Measure Up and Why They Aren’t the Cure-All for Cybersecurity

Each month there seems to be more news of data breaches, both large and small. As these events continue to increase in frequency, organizations are learning that they must engage, and rapidly, with new security measures. Companies are now turning their attention from password policies to biometric authentication solutions, without thinking every ramification through.

The biometrics industry is expanding rapidly, as tools and technology are incorporated into daily life. It’s hypothesized that the industry could be worth as much as $68.6 billion in just five years’ time.

There’s a thread of thought that passwords are liable for most wide-scale security issues. In a sense, that’s half true, but it’s not passwords that are failing us–it’s the fact that individuals re-use passwords all the time. Password reuse means that once a user’s credentials have been stolen from one account, or one hacked website, hackers can access many more, important accounts, and gain network access.

It seems logical for organizations to seek other solutions, and there are even stirrings of a password-less revolution. The most praised authentication method has turned out to be biometrics, a field which has expanded dramatically in the last decade. While biometrics are useful for many situations, they are rather romanticized, and present their own set of challenges and flaws, just as passwords do.

What is biometric data?

Primarily ‘biometrics’ refers to physical or behavioral human characteristics that can be used to digitally identify a person, and then grant them access to their devices or data. The most common examples of biometric identifiers are fingerprints, facial patterns, and voice.
When exploring the possibilities of biometric security use, consider the following

  1. The Problem with Forever

The fatal flaw with biometric data is that once it has been stolen, it’s irreplaceable. There is no way to request a change to your face structure, or to rapidly update your fingerprint so you can get into your email account. If your retinal scan data is stolen from the organization responsible for keeping it safe, there is no way to reverse the damage that theft could cause. It is a true compromisation, and a very personal one at that.

Because biometric data is personal and the theft of it is so serious, it’s vital that organizations treat biometric data with the same respect as password credentials. Fingerprint, retinal scan, and facial pattern data needs to be kept as securely as possible. Up front, this might mean using a hashing algorithm and not storing any data in plain text. It’s important to recognize the responsibility of organizations as well as individuals.

2. Device and Application Limitations

Due to the widespread availability of biometric scanners on smartphones (like Apple’s TouchID and FaceID, and the Android equivalents), it may appear that biometric technology is on its way to being not only common, but ubiquitous. In reality, however, many devices can’t incorporate the biometric reader technology yet, including most desktop and laptop computers.

Similarly, even if a user is employing use of a fingerprint to access their device, most application sign-ins, including anything through a browser, are still heavily reliant on password or pin use. Until every browser, every device, and every individual is fully compatible, relying solely on biometric authentication is impossible.

  1. Potential Exploitation Through Spoofing

Another consideration is that biometrics are essentially on display. For example, our facial information isn’t private; it’s available through photographs, many of which are online, and freely available. This leaves individuals open to potential exploitation, and as mentioned above, once that data has been stolen, there’s no possibility of replacement. Additionally, with the rise of deep-fake technology, it is becoming even easier to spoof photos and videos, meaning that facial recognition data will be less secure.

The potential for spoofing also exists for fingerprint scans. Hackers have been able to make functioning scanners that are then ‘fooled’ by replicas–casts and molds–of real user fingerprints. Since touch ID technology has been more widely available, there are additional layers of defense like liveness detection, but there is still a long path ahead before the risk is truly eradicated.

4. Altered Appearance

While not at the forefront of most biometric concerns, taking physical change into consideration is a critical part of developing secure authentication. From a kitchen fingertip injury to a dramatic change to facial structure from an accident or surgery, changes to biomarkers do occur. If biometric authentication is the only method in use, the user would experience a difficult situation, and possibly a traumatizing one if dealing with an injury.

A less dramatic issue has arisen recently with some Apple users looking for ways to use facial recognition while wearing a mask

Solutions for Now?

While it’s a tantalizing concept, biometric authentication is a long way from being the cure-all for cybersecurity.

Instead, it should be used carefully and intelligently, in conjunction with other methods of identity authentication like passwords and pins. Taking a layered approach is the easiest way to ensure organizational security. Consider using authentication methods in pairings that complement each other. Don’t rely on just a fingerprint to prevent account takeover, and in the meantime, know that passwords are here to stay.

Read more here for additional commentary.