How Secure Are Biometric Passwords?
While it’s great to avoid forgettable passwords, are biometrics the way to go?
One of the most oft-heard pieces of personal cyber-security advice is that internet users should have unique and difficult-to-guess passwords across all their online accounts. Though this sounds simple, it can actually be somewhat difficult, given that these days people can easily have in excess of 100 accounts.
Bad Passwords = Security Nightmare
What’s more, even though most people are aware of the need to create secure passwords, the reality is that they fail to do this. They assume that a hack or invasion of their online privacy will “never happen to them.” But with mega-hacks—such as Yahoo’s recent admission of millions of email account passwords being obtained—the time for complacency is over. A new solution that many cybersecurity experts are putting foward is biometric passwords, or ones that rely on a fingerprint, rather than memorization of an alphanumeric password.
Solution: Biometrics
On the surface, this sounds like a fool-proof idea. Everyone has a unique fingerprint, face or voice, so if we have the technology to employ the recognition of these features in lieu of remembering dozens of passwords. This means that internet users will both be more secure and less annoyed by constantly forgetting their passwords.
As the Telegraph reported recently, “According to the Biometric Research Group, 650m people used biometrics to operate their mobile phones at the end of 2015. By 2020, the number of biometric smartphone users will be at 2bn and growing. In fact, Europe’s new data protection regulation for businesses, the GDPR, includes clauses relating to how genetic and biometric data must be treated, foreshadowing their widespread use.”
In fact, we’ve already seen the beginning of biometric usage, first with the Touch ID feature on our smartphones, and even with some banks such as Britain’s HSBC and FirstDirect, that have employed Voice ID and fingerprint logins. This list also includes Mastercard that uses selfies instead of pin numbers. However, the truth is that when it comes to the safety of cyber security, not everyone is so convinced.
The Nay Sayers
First there is the issue of recognition. Because something like your fingerprint uniquely identifies you, once it’s apprehended by a hacker, that actor has access to your entire online life, even more so than if he or she simply guessed your password. Indeed, by assuming we are more safe because we have biometric ID passwords, we could indeed be opening ourselves up to more vulnerability by being complacent.
Biometric Breeches
In fact, we’ve already seen examples of this hacking on a large scale. British cyber security firm Darktrace installed a hacking diagnostic tool in a large Asian manufacturing business who was a client. The client was using a fingerprint system to protect certain areas of its facilities.
As reported in the Telegraph: “The system had been successfully attacked, resulting in the loss of the entire database of all employee fingerprints. The attacker had even gained the ability to add new fingerprints to the system, admitting him or her to any part of the business. In this case, the biometric data gave the hacker even more access than employee passwords might have done.”
This could apply to payments, too. If a biometric scanning device used for payments were hacked, a merchant might not know it. As one infosec commenter detailed in an online forum: “Usually, the scanner itself encrypts the fingerprint data but the hacked one need not. So, since the merchant has his biometric data, he can authorize the payments as many times as he wants without a user’s consent.”
Back to Analog?
It’s true that, just because biometrics are clearly not foolproof, that doesn’t necessarily mean we should abandon them entirely. However, it does mean that as the field of biometrics widens and more and more companies and organizations employ the technology, we cannot simply assume that it is superior method in every way. The goal is to improve our security and convenience, of course, but not to increase our convenience at the expense of our security.