Biometric security in the last decade has moved out of cheesy sci-fi thrillers or James Bond films, and into our everyday lives. Thumbprint scanners and now facial recognition software provides convenient and relatively secure options for locking one’s phone or laptop. On the surface, this seems like a privacy nut’s dream come true. Biometrics do away with the difficulty of remembering complicated passwords and allow for user-friendly data protection. Lookin a little deeper, however, turns up some very concerning issues with biometrics that might outweigh the benefits.
As with almost every semi-new technology, the United States legal system is severely behind the times with regard to biometrics. The fifth amendment is intended to prohibit the government from forcing a person to testify against him/herself. This means that you cannot be compelled to disclose a password if you feel that in doing so you would be incriminating yourself. Unfortunately, the same thing cannot be said about biometrics. Courts or police officers can force you to place your thumb on a print scanner in order to unlock a device. Until the legal system catches up with this particular technology, many people might very well consider this a deal breaker for using biometrics. For most, however, this issue tends to fall into the category of an unfortunate nuisance, and not something that will affect them personally. The ‘if you have nothing to hide then who cares’ mentality is incredibly prevalent in America, and while I personally dislike this argument, I understand the motivation behind it and understand that not everyone can be as paranoid as myself.
Poor Security Hygiene
Much of the hype surrounding biometric security claims that biometrics are more secure than a standard password, and this is definitely true, but only when we look at security in a fairly narrow context. It is true that a thumbprint is exponentially harder to crack than a standard 12 character password. And this is great news because it means greater security without needing to remember anything. However, it is important to understand that we are talking about computers, so at some level, biometrics are converted to and stored as a string of numbers. This is dangerous for multiple reasons:
1. Static Security: A frequently parroted rule of thumb in the security industry is that it is good security hygiene to change your passwords every 90 days. Obviously very few people actually follow this rule, but it does a good job of at least instilling a little caution in people. This rule came to be because of how passwords are stored in most databases. Contrary to what our intuition might assume, passwords are not stored as plain-text usually, but are instead stored as hashes (a mathematically one-directional distortion of a password). This prevents anyone from stealing your password if they ever get ahold of the database. 90 days was once the estimated time it would take a hacker to break that hashed password. This rule is severely outdated now because in the event a hacker already has access to a database, it doesn’t take anywhere near that long to break a password. That bit of computer science history aside, it is still a good idea to change your password every now and then in order to keep the target that is your password moving. This is where biometrics fall far short of standard password security.
Unless you are good friends with a talented plastic surgeon, changing your fingerprint or facial structure is not possible. So even if it takes longer to crack a biometric password than a standard password, there is nothing you can do to make yourself secure again if that biometric is ever broken.
2. Consistent Security: Another, much more obvious security rule of thumb is to never use the same password for more than one account. This issue is relatively self-explanatory. Unless you have some system of generating fake prints easily, you are pretty much locked in to only using a single thumbprint or face across every account or device that you use biometric security with. This leaves you with a target rich environment of potential initial points of failure. And as pointed out above, once one device or account get’s hacked, there is no way of changing your biometrics to protect the others.
Amidst all of the Cambridge Analytica controversy, Facebook is facing plenty of other privacy violation cases. In Illinois, while it is for some reason legal to collect biometric data of people without permission, it is against the law to use or distribute that data without permission, and as such, earlier this week it was ruled that Facebook will have to defend itself against a class action lawsuit for violating this law with its photo-scanning/facial recognition data. Frankly, with how technology is developing, even the collection of biometric data should be outlawed when done without consent. It is only a matter of time before a hacker takes facial recognition data from Facebook and uses it to crack the facial recognition unlock on an iPhone.
The fact that social media stores information about users’ faces should be enough to make us reconsider using that same technology to secure our devices. Any biometric information that is also held by a company (specifically one that is notorious for selling personal information) should never be used as one’s primary source of security. Our biometrics don’t change easily, so once our data is out on the internet, we should not expect biometric security to be as secure as some might have us believe.
Biometric security is cool and convenient, but the permanent and sometimes public nature of biometrics make the technology a tremendous long-term security risk. Biometrics is a fine way to bolster security as a supplementary form of authentication to be stacked on what security one might already have in place, but I would never recommend using biometrics as your primary form of security.
Walker Riley is a recent graduate of the University of Texas at Austin’s Master’s program in Information Science, where he specialized in Information Security. As the Information Systems Manager at ePatientFinder, Walker maintains and secures ePatientFinder’s EHR connections, as well as the servers that make those connections possible. Before working at ePatientFinder, Walker worked as a systems administrator at UT’s iSchool.