By: Darren Guccione
Users should think of biometrics as a key part of multi-factor authentication – not the only lock on the door
Crystal ball predictions are common in such a dynamic, fast moving environment as the computer industry. Some prove accurate, others quite the opposite. Now from some corners of the world of punditry comes this latest prognostication: That single-most familiar and ubiquitous computing practice of virtually every computer and device user – the password – is on its last legs, about to be replaced by biometrics.
Some surveys and studies recently seem to indicate a rising tide of confidence by consumers in the ability of biometrics to secure digital data, possibly even obviating the need for passwords. That is not only an incorrect assumption. But also it is a potentially dangerous one that could put your digital data at great risk.
So it is when it comes to passwords and biometrics. This is not to say that biometrics cannot be a significant part of an effective strategy to thwart hackers and cyber attacks, if not a very convenient and quick way of doing so. However the reality is that biometrics by itself cannot provide security on its own, but rather as a component of the kind of multi-factor authentication that virtually all security experts advocate today. In other words, as far as biometrics go, convenient – yes. Comprehensive – no.
This rising sentiment for biometrics is apparent in a recent survey of some 1700 users undertaken by Keeper Security. In that survey, 47 percent of all respondents believe that biometrics are convenient as well as hard to fake. Another 20 percent say biometrics offer strong authentication and accountability. But one in four – 25 percent - also say they would be uncomfortable using biometrics, with baby boomers leading the pack here at 28 percent compared with millennials (21 percent) and GenXers (23 percent). About one in four respondents reported they feel uncomfortable using biometrics.
Another recent survey found that only half of the 1,000 respondents were very familiar with biometrics, but nonetheless see certain biometric techniques such as fingerprint recognition and eye scanning as effective for securing online payments. However, that survey also found that half the respondents see biometrics as a means of eliminating password use and the issues created when passwords are forgotten. This is important, given that virtually all mobile digital devices will be equipped with biometric capabilities by 2020 – just two years out.
Therein, however, lie the misperception that biometrics alone can do the job of securing digital data. This simply is not true. For one thing, when for example a fingerprint is used to unlock an iPhone, the user’s password is ‘unlocked’ and still used to open the phone for use. That is, while the fingerprint technique is convenient, it still does not secure or unlock the phone on its own. And if the underlying password is a weak one, the device is still very vulnerable to attack.
Also if a hacker discovers a weak password such as 123456, the attacker can then log into the compromised device and establish a new fingerprint – theirs! The only way around this vulnerability is to set up stronger passwords.
Going "all in" for biometrics can be risky, costly, and dangerous. Consider what may be the world’s most ambitious biometric identity project to date, the massive Aadhaar project wherein the central government of India has provided unique biometric identifiers for all 1.2 billion Indians. With the data stored in a massive database, an individual’s identity can allegedly be verified in 200 milliseconds – about as long as it takes to blink. The main driver of this biometric project was to enable residents to more efficiently access various government benefits, such as food coupons and loans – all with assurances of the utmost security of highly personal data.
But various reports out of India in the last year show the biometric data is anything but safe and secure, little so that some people were selling biometric identification data to the highest bidders on WhatsApp. Various journalists and technologists have claimed the system can be compromised in various ways, including allowing certain third parties to access the data. This simply cannot be done in a system based on multi-factor authentication in which strong passwords are a central part of the solution.