If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different.
– Bruce Schneier
The popularity and availability of information technologies are constantly increasing. And at the same time increases the number of threats associated with their use. The main one is the danger of critical information leakage – both personal and corporate. Thus, today data protection is the most important area of computer security experts’ work.
The first and foremost method to prevent unauthorized access to any confidential information is to keep a wary eye on the legitimacy of users who have an access to it. The modern level of technology development allows solving this problem quite efficiently.
More and more often different companies introduce two-factor authentication. In 2FA entering the login and password is just the first step. The additional step of authentication is the use of the one-time password. But to put an insurmountable barrier for hackers, we need one more obligatory component: the users’ desire to apply the experts’ achievements and to follow their recommendations. Yet, modern users want authentication to be not only reliable but also easy. That is why they not always activate 2FA on their accounts.
Biometric authentication has become one of these easy ‘magic’ tools, which can make 2-factor authentication more popular. It seems what could be easier and more reliable? Each person has unique fingerprints, voice, facial features. They are always with us, we cannot lose them. And modern gadgets are advanced enough to read and analyze these identifiers.
Not only ordinary people but also serious organizations fall for biometric magic. British banks have introduced biometric fingerprints for customer’s login. This technology has long been used to unlock the Apple’s smartphones. Now, this feature is being introduced into new Android smartphones models. Master Card is working hard to introduce selfies as the authentication method. Among other popular biometric authentication methods are the retina or iris scanning, authentication by a finger or palm venous patterns, by voice, pulse or even selfie.
Is it convenient? Yes. Is it reliable? Well, this needs further investigation.
What dangers can we meet using biometric authentication?
- Imperfect equipment. Since any biometric parameters are usually checked with average smartphones, which differ in quality, there is a probability of false negative result. For example, the system may consider the fingerprint suspicious because of a simple cut on a finger. Thus, it may refuse to recognize the authenticity of the owner of the account. In the case when the system uses multifactor authentication, and biometric data is just one of its components, the identification can be realized by an OTP (one-time password). But when biometric authentication is used as the second factor of 2FA (two-factor authentication) there is no possibility of one-time password check. The user will never be able to sign in because of this false alarm.
- Not only law-abiding citizens use the fruits of technical progress. Attackers quickly become aware of the latest technological innovations. For example, several years ago there was a program that allowed you to add to a video a virtual replica of the person’s photo in real time. Today hackers can use such program to cheat the face scanner. They can show the dynamic moving video clone of the person, whose account they are trying to compromise. The same trouble is with fingerprints. They may be faked easily by a three-dimensional latex mold or glove. Even a high-resolution photo of a potential victim’s palm is enough for the initial sample.
- It’s difficult to recover the compromised data. If the password is intercepted, you can change it in a couple of minutes. The recovering of a stolen credit card or hardware OTP token takes a bit more time, but it’s still possible. But in the case when the biometric parameters, which belong to the person from his or her birth, are compromised de facto the identity stealing takes place. The biometric parameters cannot be changed as easily as the password or electronic card.
Is it worth to use biometrics for authentication?
As an extra option for multifactor authentication, or in cases not connected with the access to especially important information, the use of biometrics is appropriate. For example, if the fingerprint acts as a pass in a gym, it is quite convenient. There is no need to carry a membership card all the time.
When it is not a gym, but a bank account, it is more reliable to use other authentication methods. Such proven tools like tokens or OTP passwords delivered via SMS will protect important information much better than newfangled retina scan.
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.
Hi Maxim. Nice feature on biometrics. We have featured it on our Biometrics for eCommerce LinkedIn group:
The only thing I would add on point 3 is that there is a lot of misinformation regarding a compromised biometric because it is not so easy to de-crypt compromised biometric data including a selfie in the way that is stored or encrypted. It is pretty useless data to a fraudster. If data is not encrypted then it can be fairly easy to deregister a biometric in the same way as a passport document. The only way to compromise a biometric log in situation is through spoofing, that is replicating a fingerprint cast, photo or voice print for example. However there are now many liveness security functions in place to combat spoofing too. It all depends on the level of risk and a multimodal approach in using more than one form of biometric for verification is desirable. Using both face and voice in a live environment for example raises the level of certainty to 99%. It’s all about proving you are who you say you are.
Hi, Steve. Thank you for the comment. Of course, you are right, but still there are some risks. That is why it makes sense to use several factors at the same time. To mi mind, the best solution is the use of both biometrics and OTP. I completely agree with you that we should always evaluate the importance of the information we protect and choose the number of authentication factors in accordance with the level of data confidentiality. But if to talk about biometrics in the raw, it better fits for identification than for authentication.
I totally agree with Ann on this one. Biometrics has a lot of drawbacks if used on it’s own that need to be considered. For example, biometrics can be stolen easily and even changed (assuming I cut my finger). You cannot reset your biometrics like you can a password.
So we need to think of biometrics as usernames and not passwords.
We have touched on some other considerations in this article: https://www.globalsign.com/en/blog/biometric-authentication-considerations/