With more and more financial institutions and corporates adopting biometrics, it is becoming a mainstream these days. From Apple’s TouchID to MasterCard’s Selfie Pay, it seems that biometrics is indeed at our fingertips (literally). And for a good reason, as there is a consensus that current password-based authentication schemes are completely broken, while biometrics offers a much more convenient, user friendly and secure experience. You don’t need to remember passwords anymore, since YOU are the password, be it your voice, fingerprint, iris, or even the shape of your ears.
However, biometrics, like any other security solution, isn’t a silver bullet. Besides the implementation challenges stemming from the nature of the technology such as FAR (false accept rate) and FRR (false reject rate), it also entails some serious security challenges that should be taken into consideration.
Biometrics and privacy
Since you are the password, this has far-reaching consequences on your privacy. It’s important to understand that being the password is a double-edged sword: Your biometrics indeed cannot be forgotten or lost, however, they also cannot be changed (most often).
This leads to two immediate conclusions:
- A breach involving compromise of biometric data has the potential to be disastrous. This can’t even be compared to today’s mega breaches resulting in mass password compromise, where in many cases the remediation strategy on the user level is simply changing a password. How would you remediate if your iris biometric information was captured, while you use it to access 15 different web sites? And, unlike the good old password, your iris is what it is, for good—it can’t be changed. Needless to say, this will have severe ramifications.
- With biometrics controls becoming ubiquitous, cyber criminals will have greater incentive to steal one’s identity, even at very high costs. Think for how much are bank logins or credit card details being sold for in today’s black market, and try to imagine how much will a biometric identity be worth, given the fact that most biometric features are fixed for life and cannot change or expire like the credentials or credit cards that are in use today. This is the ultimate identity theft.
Protection of biometric data
Well, since biometrics is YOU, it means that the secret used for authentication is now out in the public—your face, ears, iris, fingertips or most other publicly visible biometric feature, others have access to it. This in turn allows verification attacks on biometrics systems, e.g. authenticating with a picture of a face. Your biometric features can be captured anywhere, anytime without your consent. Just replace “biometric feature” with “secret” or “password” and the issue becomes crystal clear.
Biometrics, like any other security solution, isn’t a silver bullet.
However, this isn’t limited to this kind of information. When initially enrolling to a biometrics system, a template of the relevant biometric feature is being created. Then, this template is used in subsequent authentication processes in order to identify the person using the reference data acquired (e.g. by a camera, microphone or other sensor). This template is typically stored on the endpoint device used for authentication (like a smartphone), or occasionally in a central database. Having this data compromised can lead to severe consequences, as often biometric features are yours, for good.
Biometrics is an exciting technology that will transform the way we pay, consume and authenticate to various services, mostly to a much more friendly and convenient experience. However, at the same time, we must remain aware of the privacy and security risks associated with these technologies.
Oz Mishli is the vice president of Product at Dyadic Security and cyber security expert. His background includes military service in an elite unit of the Israeli Defense Ministry, as well as various technology and business roles in the industry, specializing in malware research and advanced fraud prevention. Oz was previously head of products at Trusteer, which was acquired by IBM.