Think about how rapidly the gadgets surrounding us have evolved. Hardware and software. Choices and varieties. It’s a true paradise for any tech geek and casual user alike. This evolution, of course, is accompanied by a proportional sophistication in the way we interact with the data and security a brave new world offers us.
After sticking to the questionable pleasure of remembering dozens of passwords and usernames around for quite a few years, we seem to be on the brink of moving to something cozier…biometrics. It’s no fun keeping a whole database to know what credentials you used for every single service you’re hooked on. We need, some people insist, something cooler. But is biometric authentication really as cool as it may seem? Is biometrics a true security tool for businesses and government organizations?
The cool security kid around the block
Just like a shiny new iPhone 6s on its launch date, biometrics is considered the cool kid around the block. Fingerprints, iris scans, facial recognitions and whatnot – it’s just as if you were living in the future. No passwords, no irritating sets of usernames you have to search around for in your brain.
It’s minimum effort with maximum efficiency, slapped across all the data that swirls around your everyday life.
Naturally, tech giants have caught on. It’s no coincidence we mentioned iPhone just now: Apple has it’s Touch ID, with iUsers increasingly choosing biometrics as their authentication method. Microsoft has ‘furnished’ Windows 10 with some hip biometrics options too, not to lag behind in the race. Mastercard utilized selfies as a method to vouch for online transactions – and the fact that yes indeed, you’re purchasing this brand new something off e-Commerce’s grid of consumer temptations.
Biometrics is cool. They are the future. They are so, so convenient, and oh-so-fashionable. After all, snapping a selfie is way more exciting than punching a password into a blank field, right?
Here’s the catch, though: biometrics is way less secure than you’ve ever expected it to be. And that’s, let us admit it, far from being cool and the common perception. Why?
Well, the rules of security are pretty simple. Security is as good as the weakest link in the chain. Biometric authentication involves storing the derivative data “caught” by a Biometric scan. Sure, companies encrypt it, but it’s still prone to getting compromised as long as the key to the data is stored somewhere. This is the main reason we never store any of your encryption keys anywhere with our SmartCryptor security tool.
All these things you’d better know about biometrics
What did you do that time you thought someone’s gotten hold of your password? Given the time to react, you’ll of course, navigate around with a few clicks and generate a new one. It’s that simple and easy.
No change in the land of biometrics
Your biometrics, on the other hand, are a constant bio-data wired to your body. You can’t change your fingerprints. You can change your face, but probably it isn’t worth it if you’re doing it because of a security breach of a random gadget.
What we’re focusing on here is the fact that while cooler, biometrics still are targetable by hackers. They are still able to get slyly reverse engineered by cyber criminals who can get your credentials and abuse this set of data they have obtained.
The worst thing here is, once your biometrics authentication value is stolen, there’s absolutely nothing you can do about it. That’s one of the most severe risks inherent in biometrics as a form of security.
In 2014, Jan Krissler – a well-regarded biometrics research hacker took high-resolution fingerprint photos. He managed to snap them from approximately 3 meters away, successfully re-engineered the fingerprints of Germany’s defense minister, Ursula von der Leyen as a result. Lesson learned here: it is very possible to obtain fingerprint stolen without even touching the person or their property.
In September 2015, 5.6 million US federal employees found out about the inconvenience of safeguarding their data with biometrics as hackers easily got hold of all their fingerprints from the database of the Office of Personnel Management (OPM).
Think about it: someone somewhere has all this vital and ultimately personal information of for life!
Another case of a biometric breach was when the iPhone 5s had just come out with the favorite Touch ID, when the Chaos Computer Club hackers demolished its authentication method. What they did is simple: make a copy of a person’s fingerprint via a high-resolution image, print it out with heaps of printer toner (so there’s mould) and create a dummy trace out of some wood glue.
Boom. Your biometrics data has just been stolen and unlike passwords, you can’t reverse it. Your fingerprints are here to stay, after all.
You can move the data, but you can’t remove the risk
Some companies using biometrics were naive enough to store the customers’ data on central servers. In order to know why this is a pretty bad idea, you can read our free comprehensive whitepaper on storing data securely in the cloud.
Recently, most services have migrated to storing data on your own personal device. Good, right?
Not that much. Running from one location of storing biometrics to another is surely an improvement. Still, it doesn’t escape the harsh reality: your personal device can be stolen and can be infested with malware. From there on, it’s the usual story: you get your security breached and can’t do a thing because your biometrics stay the same and you can’t change them.
Speaking of companies and what they store… With biometrics being a recent trend, can you really be sure that your data doesn’t stay in their records? Do you feel comfortable with a corporation possibly having things like your fingerprints, iris scans or facial characteristics in a log? Is the industry actually regulated enough so you can feel at ease? Is biometrics the security tool needed for safer authentication?
Or, shifting it a bit and looking at things from a business perspective… Leading analysts PricewaterhouseCoopers (PwC) point out that different countries apply different privacy laws on the collection and transfer of biometric data. This makes it incredibly hard for a business to juggle around and promises a world of regulatory pain in case any data gets stolen, compromised or misused.
What PwC advise for is what we mentioned earlier – storing all precious information on the user’s device instead of a centralized server. Again, this is where we disagree. Data can be stored anywhere as long as the keys to the data is never stored (not in the device or the servers) – a policy we follow in both SmartSignin and SmartCryptor. This is what makes our solution fantastic as data can be centralized but the keys are always decentralized!!
A brisk taste of two-faced legalese
Speaking of regulations, here’s an interesting tidbit. The Fifth Amendment protects you in cases where you need to make known the information you’re familiar with. (In other words, your set of credentials like username and password). However, the Virginia Circuit Court thought recently, demanding a suspect to immediately provide a fingerprint to unlock a mobile device is fully in line with the law.
Isolated case or not, this ruling highlights a very important distinction that might set a precedent for the future. Laws might feel comfortable with this distinction, putting biometrics users into a tight spot.
Something similar might happen with another public domain – gathering iris data from citizens. Right now in order for anyone (read: institutions) to fetch your iris biometrics, you need to be close to each other. With researchers from the Carnegie Mellon University putting efforts towards a new long-range camera for shooting iris scans from as much as 10 meters, you can feel control over who has your biometrics data slipping away. As you can guess, advancements like this are really not in the interest of the general population, be it in our role as consumers, citizens or users.
It’s REALLY not only about your smartphone but all connected devices
When we think biometrics, we tend to think about the smartphones sitting comfortably in our pockets. Still, biometrics extends to everything from the Internet of Things to smartwatches and other systems.
Analysts from Gartner estimate that around 30% of the organizations across the globe will trust biometric authentication for mobile device by the end of this year. By 2020, the IoT connections generated by biometric sensors are put at 26 billion.
However, there are still holes in biometric standardization so someone’s identity can be secured and authenticated properly. And the IoT infrastructure is as vulnerable to hacks, suffering from the same potential long-term compromises that might turn your digital life upside down.
Tony Beltramelli from the University of Copenhagen’s IT faculty highlights possible future challenges related to smartwatch biometrics data. In his Master’s thesis he simulates how a corrupted smartwatch might be used to fetch a specific set of biometrics – your hand’s movement.
Sure enough, this still is a rather niche and far-fetched concept. It’s a specific experiment in a controlled set of circumstances.
However, it raises some alarming points in a world of increasing security breaches and governments eager to collect our data. Combining these two with the fact biometrics are inherently irreplaceable, maybe it’s not worth it to visit the security playgrounds with the hip kid around the block after all.
Krissler gets an unanimous nod of approval from our team. Backed up by an enormous industry standing behind its facade, biometrics is touted as a cutting-edge, marvelous security mechanism.
Does all the hype mean it’s really your best bet to securing your personal data?
Far from it. The way biometrics works can put a long-lasting risk on your sensitive information, without you being able to reverse this mishap. The selfie-as-verification alluring concept might have to wait – at least for those who truly value their privacy