Are we sure about Biometrics for Security? I’m not. Partially, it is because I am lazy and don’t want to deal with chasing the new fad that will soon be replaced by another fad. More importantly, I don’t trust the people storing the Biometric data. What are Biometrics? Why should I care? I’m glad you asked!
First, a bit of background on security authentication factors. When a digital device needs to recognize a user, they need to have the user provide information associated with the account. That information is classified generally as:
- Something we know (knowledge factors)
- Something we have (possession factors)
- Something we are (inherence factors)
Biometrics is the business of satisfying the Something We Are factor with our fingerprints, retina patterns, voice, face or other body part. We become our own passwords! How convenient. Biometrics are popular for several key reasons noted by the Rand corporporation:
- Biometrics are never lost or stolen – you never hear ‘Honey, where did I leave my eyeball?’
- Biometrics are never forgotten (unless you forget which finger you use to unlock your iphone)
- Biometrics offer speed, efficiency and convenience – the biometrics are usually on hand (I’m sorry, the pun was irresistible…)
With the massive convenience of use and the fact Apple incorporated biometrics into their newer phones helps accelerate adoption of biometrics. People also feel secure because they comfort themselves that casual thieves cannot easily defeat biometrics or use cracking software like they can with passwords.
As an engineer, I love the idea. First of all, it is so cool! This is the magic of Star Trek brought to life. Second, we all know someone who forgot a password and rendered something (like my original Yahoo account or my wife’s iPhone backup) completely useless. Or at least, if you didn’t know someone before, now you can laugh at me. If I had used biometrics, I wouldn’t have that problem. As noted above, users cannot forget or easily lose body parts and biometrics are much harder to use without your permission – if someone stole my eye for a retinal scan, I hope I would know.
But are they secure? Also, what are the consequences if they are leaked?
Remember, security is only as good as the weakest link. In order to recognize your body part, say your right iris, a device must scan it and keep a digital record. That digital record must then be stored and made available for comparison with future scans to make sure that the next eyeball looking at the scanner is your eyeball. Easy enough. Now comes the trouble. How and where is that digital record being stored?
Very big companies with huge resources suffer public breaches regularly (Facebook, Experian, etc.) and sometimes the breach includes passwords that were incorrectly stored. In March of this year, KrebsOnSecurity covered that Facebook passwords were stored in plain text and searchable by thousands of employees for years. If I give them my face, what assurance do I have that they will store it any better? Facebook made $6.88 billion dollars in profit last year. Can a company with smaller resources really be trusted to do much better? While the computer must inherently convert our body part into zero’s and one’s for storage, how does the average user like me know if the algorithm is ‘salting’ my face data or using encryption? How can I be sure that if the database is leaked, that my face won’t be widely available on the internet for hackers to use? This type of breach suffers much more severe consequences than a password breach. If a face can be stolen, could it be used to conduct more powerful identity fraud than we currently face? Will I go up to the Social Security office and be told someone with my face and fingerprints already registered in New Mexico and has been cashing benefits for two years? If they determine it was fraud, will I be found guilty because it was my face and fingerprints? It is really, really hard to change my face after a breach.
Of course, my face is already on LinkedIn and Facebook and Twitter in photos. Can my face password be faked? Kaspersky Lab notes that Apple’s iPhoneX “projects 30,000 infrared dots onto a user’s face” and a mistaken identity is a “one in a million” chance. Cool, so with 8 billion people on the planet, my iPhone X could only be used by ~8,000 people. However, the article goes on to reveal additional weaknesses. “Researchers at the University of North Carolina at Chapel Hill downloaded photos of 20 volunteers from social media and … successfully breached four of the five security systems they tested.” How long before less sophisticated people can purchase software to scan multiple pictures and build fake faces based upon our social media posts? Perhaps, we’ll have to make more and more complex combinations of biometrics to use as our passwords to compensate for the theft of a few. My voice plus my face plus my fingerprint perhaps? That will be more robutst, but that is also just that much more to steal.
We have not yet begun to talk about entities misusing our biometrics for surveillance or for targeted advertising. Yet all of the blogs I have read so far stop here, and my paranoia goes deeper. Even if we solve the issues of leaking and faking, can biometrics survive our own human weaknesses? People get into car accidents, have stokes, or cut off their fingertips in car doors. The more robust the version of the biometric password, the more susceptible that password becomes to our human fragility. If I have a stroke, maybe my fingerprint works well, but if part of my face is paralyzed, how could I use my face and my voice for my Face+Voice+Fingerprint password? If I put a laptop with facial recognition into storage and try to use it 20 years from now, will I be authenticated? How much will weight gain or wrinkles affect the algorithm?
Very smart people designed these biometrics and I am confident they are working to counter every paranoid fear that I have and many more that I am too ignorant to imagine. However, I also know human nature. Seatbelts were available for decades before a US law in 1968 required them to be standard equipment in all personal vehicles. Yet even with the forced inclusion, people didn’t regularly wear them for decades more! State governments had to pass laws and advertise constantly for people to start to change their behavior regularly in significant numbers. New features are expensive and apparently $6.88 billion is not enough profit for some companies to start using basic password security methods. For now, I’m going to be paranoid and use biometrics as sparingly as possible. I am OK with passwords – I can change them without surgery.