- ‘Eat Them To Defeat Them’ is oddly about vegetables—not about eating the rich 4 Years Ago
- Marco Rubio mocked for filming talking while driving socialism critique 4 Years Ago
- QAnon believer asks Trump’s campaign press secretary who Q is Today 2:36 PM
- Octavia Spencer has discovered ‘Ma’ memes—and she can’t get enough Today 2:09 PM
- Meet the anti-Greta Thunberg, a climate ‘skeptic’ funded by the oil industry Today 1:12 PM
- Harvey Weinstein convicted of rape and sexual assault Today 12:56 PM
- Senator calls Facebook’s current election disinformation efforts ‘inadequate’ in letter Today 12:11 PM
- The Phillie Phanatic mascot unveils a slimmer makeover Today 11:56 AM
- YouTuber threatened with arrest after rapping about being a girl from Mecca Today 11:55 AM
- Video shows flat-Earther ‘daredevil’ crashing to death after homemade rocket fails Today 11:49 AM
- Cardi B defends Dwyane Wade’s daughter during Instagram Live Today 11:45 AM
- YouTube briefly shuts down beloved ‘lofi hip hop radio’ channel, launching a new meme Today 11:42 AM
- Neil deGrasse Tyson points out that Elsa from ‘Frozen’ has ‘horse-sized eyeballs’ Today 10:58 AM
- Republicans as Sanders rises: Watch out, we may vote for Trump Today 10:54 AM
- Amazon series ‘Hunters’ criticized by Auschwitz Memorial over fictionalized scene Today 10:45 AM
With more and more financial institutions and corporates adopting biometrics, it is becoming a mainstream these days. From Apple’s TouchID to MasterCard’s Selfie Pay, it seems that biometrics is indeed at our fingertips (literally). And for a good reason, as there is a consensus that current password-based authentication schemes are completely broken, while biometrics offers a much more convenient, user friendly and secure experience. You don’t need to remember passwords anymore, since YOU are the password, be it your voice, fingerprint, iris, or even the shape of your ears.
However, biometrics, like any other security solution, isn’t a silver bullet. Besides the implementation challenges stemming from the nature of the technology such as FAR (false accept rate) and FRR (false reject rate), it also entails some serious security challenges that should be taken into consideration.
Biometrics and privacy
Since you are the password, this has far-reaching consequences on your privacy. It’s important to understand that being the password is a double-edged sword: Your biometrics indeed cannot be forgotten or lost, however, they also cannot be changed (most often).
This leads to two immediate conclusions:
- A breach involving compromise of biometric data has the potential to be disastrous. This can’t even be compared to today’s mega breaches resulting in mass password compromise, where in many cases the remediation strategy on the user level is simply changing a password. How would you remediate if your iris biometric information was captured, while you use it to access 15 different web sites? And, unlike the good old password, your iris is what it is, for good—it can’t be changed. Needless to say, this will have severe ramifications.
- With biometrics controls becoming ubiquitous, cyber criminals will have greater incentive to steal one’s identity, even at very high costs. Think for how much are bank logins or credit card details being sold for in today’s black market, and try to imagine how much will a biometric identity be worth, given the fact that most biometric features are fixed for life and cannot change or expire like the credentials or credit cards that are in use today. This is the ultimate identity theft.
Protection of biometric data
Well, since biometrics is YOU, it means that the secret used for authentication is now out in the public—your face, ears, iris, fingertips or most other publicly visible biometric feature, others have access to it. This in turn allows verification attacks on biometrics systems, e.g. authenticating with a picture of a face. Your biometric features can be captured anywhere, anytime without your consent. Just replace “biometric feature” with “secret” or “password” and the issue becomes crystal clear.
Biometrics, like any other security solution, isn’t a silver bullet.
However, this isn’t limited to this kind of information. When initially enrolling to a biometrics system, a template of the relevant biometric feature is being created. Then, this template is used in subsequent authentication processes in order to identify the person using the reference data acquired (e.g. by a camera, microphone or other sensor). This template is typically stored on the endpoint device used for authentication (like a smartphone), or occasionally in a central database. Having this data compromised can lead to severe consequences, as often biometric features are yours, for good.
Biometrics is an exciting technology that will transform the way we pay, consume and authenticate to various services, mostly to a much more friendly and convenient experience. However, at the same time, we must remain aware of the privacy and security risks associated with these technologies.
Oz Mishli is the vice president of Product at Dyadic Security and cyber security expert. His background includes military service in an elite unit of the Israeli Defense Ministry, as well as various technology and business roles in the industry, specializing in malware research and advanced fraud prevention. Oz was previously head of products at Trusteer, which was acquired by IBM.