Biometric authentication using your face or fingerprints is very convenient and looks futuristic and secure. However, this can be a false sense of security due to weaknesses in biometric systems. If you know what it is, you can use biometrics responsibly.
Your biometric data cannot be changed
The biggest problem with using your body measurements as an authentication system is that you can’t easily change them if that information gets hacked. When your password information is inevitably leaked or hacked, all you have to do is change your password and the attackers are back to square one.
If your biometrics are compromised, you cannot exactly change your fingerprints or iris patterns. This does not mean that your biometric data is destroyed forever. It is possible to upgrade to high fidelity scanning systems which capture more detail than older systems.
People who create biometric security features have ways to hide your raw fingerprints, facial scans, iris images, and any other body parts you have scanned. By applying encryption methods that cannot be reversed without a key, it does offer protection against traditional hacking.
The problem is that a dedicated attacker can always find a way to access your raw biometric data. Whether it’s a data breach or having your fingerprints physically taken from a soda can, where there’s a will, there’s a way!
You may be required to unlock biometric systems
Let’s say you have just returned home from an international trip and you are stopped at customs. You hand over your phone for inspection, but it has a biometric lock, so there’s no way for the customs officer to pry into it, is there? Without wasting any time, the agent turns your phone towards you and it quickly unlocks after seeing your face.
In situations where authorities can physically manipulate you, they can do the same with fingerprint scanners, by forcibly placing your finger on the scanner.
You may not be worried about government authorities accessing your data using your biometrics, but what about criminals? The idea of a criminal forcing his victims to unlock systems using biometrics should be distasteful to anyone.
We wear our biometrics for the world to see, but access codes and passwords live in our heads. As of now, there is no easy way to extract this. You can always “forget” your password or provide the wrong code enough times to wipe your device.
Biometrics offers unique hacking opportunities
Each type of authentication system has its own unique hacking possibilities. When it comes to biometrics, what hackers need to do is find a way to spoof or capture your biometrics. As technology advances, it becomes possible to capture biometric data without the victim’s knowledge.
In 2017, scientists succeeded in drawing fingerprint data from photographs taken up to 3 meters away. Smartphone cameras have come a long way since 2017 and modern phones could probably capture enough detail at longer distances, not to mention that most phones now come with at least a telephoto lens.
Iris scans aren’t safe either. In 2015, a Carnegie Mellon professor detailed how long range iris scanning might work. Technology that can scan someone’s irises as they look in a rearview mirror or across a room.
These are just two examples, the principle is that current biometric data is always at risk of being captured and reproduced. The same applies to future biometric data, such as lose DNA combined with DNA “imprint” as a possible example.
How to use biometrics responsibly
The weaknesses of biometric authentication don’t mean you shouldn’t use it at all. However, it’s not a good idea to have really sensitive information behind a biometric lock. It is best to use MFA (multi-factor authentication) for highly sensitive data or applications that do not include biometrics or only have them as a single factor.
You can also have a secure vault on your mobile devices that requires another layer of authentication. Samsung Secure Folder functionality is a good example.
Finally, most devices that offer biometric authentication also offer a biometric killswitch. This is a shortcut or action you can perform to instantly disable biometrics. For example, you can say “Hey Siri, whose phone is this?” on your iPhone and the phone will immediately revert to passcode authentication.
It’s a good idea to research the biometric equivalent of the killswitch for the devices you use so you can use them when needed.
RELATED: What is a physical kill switch and does your PC need one?