Biometrics are a complement to good password security practices, not a replacement for them
People used to be suspicious of the notion of having their facial recognition, fingerprints or other biometric data “on file” somewhere. Not anymore. Pretty much everyone uses their fingerprint to log into both their phone and a growing number of accounts, including not just personal phones and apps but also corporate devices and apps that contain confidential business information.
It’s easy to understand why end users love biometrics. Instead of having to remember multiple passwords and manually type them in, all users have to do is touch a small scanner and voilà! What could be easier and more convenient? No wonder the market for biometric solutions is expected to reach nearly $60 billion by 2025.
Biometrics hold a lot of promise as an authentication factor, particularly now that so many people are working remotely. However, when users lean on them too heavily, they tend to allow password security to fall by the wayside. This includes not only the time-honored practice of using a strong, unique password for every account but also adding additional layers of security, such as multi-factor authentication (2FA).
This is fueled by a persistent myth that password security no longer matters because biometrics are set to “replace” passwords. Let’s dispel this myth right now.
Biometric Authenticators Depend on Passwords
The confusion is rooted in a fundamental misunderstanding of how biometric authentication works. Fingerprint, iris and facial recognition scanners don’t replace passwords. Here’s what goes on behind the scenes when an end user scans their fingerprint, iris or face:
- The biometric authenticator performs a “true-false” query to determine if the biometric it just scanned matches what it has on file.
- If there’s a match, the biometric authenticator retrieves the user’s password out of the device keychain and transmits it to the app.
- The app authenticates the user based on this password.
Biometric authentication solutions don’t “replace” passwords. They just abstract away the complexity of manually typing them in. This means that if a user chooses a weak or common password, a cybercriminal can access the device or app simply by bypassing the biometric authenticator and using the password.
Biometrics Can Be Circumvented
Another misconception about biometric authentication is that it is somehow inherently more secure than a password. If a user’s mobile device is lost or stolen, the logic goes, cybercriminals will be unable to access it without the user’s fingerprint or facial recognition.
Not so fast. When Samsung launched its Galaxy S10 smartphone in 2019, one of the device’s major selling points was the phone’s ultrasonic fingerprint sensor, which was ostensibly more secure than traditional optical readers.
A security researcher defeated the sensor using a wine glass, some software and an LCD resin printer. Some people may have taken comfort in the fact that this particular method required expensive, specialized software and a printer with an accuracy level of 10 microns. That comfort didn’t last long: Last fall, a group of Chinese researchers demonstrated how to compromise the fingerprint lock on any smartphone, ultrasonic sensor or not, with $140 worth of equipment and an app that analyzes a photograph of a fingerprint.
Biometrics Can’t Be Changed
Perhaps the strongest argument against leaning too heavily on biometrics is that stolen passwords can be reset, but stolen fingerprints or other biometrics cannot. Further, if users properly secure them, passwords are quite difficult to steal. Biometrics are frighteningly easy to steal. Humans leave fingerprints everywhere, and our faces and even irises can be recorded, photographed or scanned from a distance without us ever knowing.
Cybercriminals don’t even have to follow targets around to lift fingerprints or take photos. Databases containing biometric data can also be breached. In 2019, a database owned by a U.S. Customs and Border Patrol contractor was compromised, exposing photos of 184,000 travelers. At least some of the images ended up on the Dark Web. Three months later, the developers of a biometric lock system used by the UK Metropolitan Police, along with banks and defense contractors worldwide, was found to be storing 23GB of fingerprints, facial recognition images, login credentials and other sensitive information on an unencrypted and unsecured database.
Reports of the Death of Passwords Have Been Greatly Exaggerated
Biometrics aren’t inherently bad, but they’re not a replacement for passwords, not now and not for the foreseeable future. This doesn’t mean organizations should ditch biometrics completely. Instead, they should be one part of a multi-layered approach to cybersecurity that includes, not replaces, comprehensive password security and robust identity and authentication management (IAM).