Do you remember the first time you were awed by the biometric authentication used to verify someone’s identity in a movie? Perhaps you watched a character use voice recognition to board a Pan Am space plane in 2001: A Space Odyssey; perhaps you watched Tiffany Case use a fingerprint scanner to authenticate her guests in the James Bond movie, Diamonds are Forever; or perhaps you watched Simon Phoenix use someone else’s eyeball to bust out of prison in Judge Dredd.
What is a common technology in Sci-Fi or James Bond movies is now finding its way into our everyday lives. For example, when I pick up my kids from daycare, I have to use two forms of authentication. To get into the facility, I present my name badge (“something I have”) to a scanner. When the scanner turns green, the door unlocks. Next, I use my fingerprint (“something I am”) to log into a computer and checkout my kids. However, since the fingerprint scanner fails to work much of the time, the daycare has now replaced the “something I have” with a “something I know,” and I now log in using a password to avoid being locked out.
Because of the problems I experienced in using my fingerprint as a form of authentication, my excitement for biometrics as a security metric has cooled down a bit. Fingerprint or voice recognition as a form of authentication may appear to be a very exciting prospect, but it is crucial to be aware of some of the cons that come with biometric authentication before rushing blindly into its implementation.
Biometric security has significant advantages over other forms of identification: it's fast and easy to use, and unlike a login or password, which requires memorization and is easily replicable, an individual's fingerprints, irises, and facial constructs should be impossible to duplicate. But as the sole form of security, it can cause problems.
One-factor authentication is generally “something you know," which generally indicates a password. If you opt to use biometric authentication, or “something you are,” as your one-factor form of authentication, take a minute and ask yourself how this information is being implemented and whether it is really making your device more secure.
In his article “False sense of security spreading on a gigantic scale,” Hitoshi Kokumai points out that fingerprint authentication is not being used to make phones more secure but rather as a form of convenience. Further, biometric data is stored on devices, and those devices can be hacked. There is no doubt that the future of identity theft will involve compromising biometrics; attackers are likely already working on finding a way around these systems.
When biometric security is implemented improperly, you are lessening your security. For example, if my finger print fails to give me access to my phone, I am then asked to enter my passcode. Instead of replacing my password, my fingerprint is working in parallel with my passcode.
When biometric security is implemented properly, it adds another layer of security. My fingerprint failed at my kids’ daycare, and the computer did not ask me for “something I knew” or “something I have” to allow me entry, it locked me out with no other alternative. Luckily, at daycare, someone is always there when I need to log into the computer and pick up my kids.
Also, with biometric authentication, biological traits become more valuable as data, and as such, how do we protect it? Does this necessitate a future of wiping down your laptop after every use, or wearing gloves while using it to prevent bad actors from lifting your fingerprints off it? What about your voice? Is it safe to leave a voice message for fear that someone will use it to learn how to mimic your voice?
This leads to the biggest drawback of all, as pointed out by Oz Mischli in Adrian Bridgwater’s article, which states that biometric features are very difficult if not impossible to change if they are stolen. If a password is compromised, it can be changed and reset; if a Client Certificate is stolen, it can be revoked and a new one issued; if a OTP device is stolen, it simply needs to be canceled and reconfigured. But companies are very limited in their choices if important fingerprints or vocals are breached.
Discussing the cons of biometric authentication is not meant to stop you from using it as a factor in two or three-factor authentication systems. Advances in security can be great, but it is important that you do not allow the appeal of new and exciting technology to take precedent in security related decisions. Make sure to investigate your options thoroughly before implementing another factor of authentication in your business or personal life.
It is up to enterprises and other institutions to recognize the importance of protecting their data from bad actors by building secure, sustainable infrastructures within their systems, such as requiring multi-factor authentication to access sensitive data. This is a vital step for protecting not only company data, but more importantly, the company's customers. Do not let convenience or the excitement for new technology weaken your security.