That thumbprint lock on your iPhone seems futuristic and ridiculously secure, but is it really?
Biometric technologies are ones that use different personally identifiable attributes as ways to verify someone’s identity. For example, your fingerprints are unique to you—nobody else in the world has an exact match fingerprint.
So rather than relying on a password, which someone can easily guess or configure on their own, using a thumbprint to unlock a phone, access a bank account, or even pay for a service seems like a more secure way to handle such events.
But are biometrics as safe as they’re made out to be?
Biometrics do have a lot of advantages. For starters, they can’t be replicated—at least not the same way that a written password can. They also aren’t easy to forget or lose; how many times have you forgotten your email password because you never wrote it down? Have you ever lost a finger?
Biometrics can also be more convenient for people everywhere; rather than taking the time to type in an email address, user name, and/or password, a wimple wave of the hand or scan of the eye could suffice, cutting each transaction time into a fraction of what it was before.
Though it seems futuristic, there are many types of biometric identification already in circulation (or far along in development). Fingerprint scanners, eye scanners, DNA evaluators, heartbeat measurers, and even cameras that can analyze your gait are already a reality. But just because they sound futuristic and are fun to experiment with doesn’t mean they’re safe.
Security Risk 1: Irreplaceability
First, you must consider the irreplaceability of biometric features. A password, if compromised, can easily be changed. If it is forgotten or lost, it can easily be reset. The unique shape of your ear, however, can’t be easily replicated, nor can most other biometric signatures. Some features, like your heartbeat or your gait, may change naturally over time—so at what point does it become unrecognizable? Other features, like your fingerprints or the composition of your eye, may change in the event of a tragedy or some incident that alters these physical structures.
This forces biometric researchers to focus on biometric signs that are universal, meaning everybody has access to them, and unchanging, which means they have a low rate of change as people age and grow. This is a remarkably hard balance to find, as indicated by early selections of biometric sources.
Security Risk 2: Publicity
Next, consider a critical difference between conventional passwords and biometric signals. Passwords are, by nature, private; they exist in your own mind as your unique creations, and unless you write them down somewhere, nobody has a way to get ahold of them.
Biometrics, on the other hand, are public by nature. Anyone who has ever met you knows what your eyes look like, and all it would take is one high-resolution photo to be able to replicate them. Your fingerprints, too, exist continually and in a public setting. It wouldn’t take much for someone to 3D print an ear or copy your thumbprint and immediately have full access to your identity.
Does that sound extreme? Security researchers have already been able to hack into an iPhone’s thumbprint scanner with nothing more than a small piece of Play-Dough. This is an early iteration of the technology, but it’s a presentation of a real threat and a major weakness of biometric technology overall.
Security Risk 3: Storage
If biometrics are used to authenticate identities, they must be stored offsite somewhere, just like passwords are today. The FBI, for example, is working on building a facial recognition database of hundreds of millions of different faces. Some of these images may have been taken without consent; it’s entirely legal in most of the United States to take someone’s image while in public and, presumably, to store that image for future use.
This calls to mind two major concerns. First, it could qualify as a violation of privacy. Both government organizations and private companies could hypothetically gather information on your body, face, and even your gestures, for whatever ends they choose. There aren’t currently many laws dictating conduct in this area, because biometrics are such a new development. Second, if this database exists, it can be broken into, which means all it takes is one hole in security for a cybercriminal to have access to millions of people’s biometric data.
Delay in Release
If you’re concerned about biometrics taking over the world before they’re fully secure, you can rest easy for now. Even though early-stage models are in circulation, businesses and individuals aren’t yet clamoring to fully replace traditional password and multi-factor authentication systems. Biometric technologies are expected to grow, as an industry, to more than $24 billion by 2021; this is an impressive number that illustrates significant growth, but it’s not so explosive that it demonstrates the immediate desire for mainstream adoption.
Biometrics have a lot of potential, but there are some significant security risks to figure out before we begin to rely on them as our main source of identification. Thankfully, researchers already recognize the inherent flaws of this system, and are working diligently to compensate for them. Of course, any method of identification we choose to adopt is going to have weak points and the potential for exploitation; our job is to minimize those risk factors, not eliminate them, and be prepared for breaches when they inevitably occur.
This post is part of our contributor series. It is written and published independently of TNW.