Biometrics Don’t Replace Mobile Password Security

Biometrics are a complement to good password security practices, not a replacement for them

People used to be suspicious of the notion of having their facial recognition, fingerprints or other biometric data “on file” somewhere. Not anymore. Pretty much everyone uses their fingerprint to log into both their phone and a growing number of accounts, including not just personal phones and apps but also corporate devices and apps that contain confidential business information.

It’s easy to understand why end users love biometrics. Instead of having to remember multiple passwords and manually type them in, all users have to do is touch a small scanner and voilà! What could be easier and more convenient? No wonder the market for biometric solutions is expected to reach nearly $60 billion by 2025.

Biometrics hold a lot of promise as an authentication factor, particularly now that so many people are working remotely. However, when users lean on them too heavily, they tend to allow password security to fall by the wayside. This includes not only the time-honored practice of using a strong, unique password for every account but also adding additional layers of security, such as multi-factor authentication (2FA).

This is fueled by a persistent myth that password security no longer matters because biometrics are set to “replace” passwords. Let’s dispel this myth right now.

Biometric Authenticators Depend on Passwords

The confusion is rooted in a fundamental misunderstanding of how biometric authentication works. Fingerprint, iris and facial recognition scanners don’t replace passwords. Here’s what goes on behind the scenes when an end user scans their fingerprint, iris or face:

  • The biometric authenticator performs a “true-false” query to determine if the biometric it just scanned matches what it has on file.
  • If there’s a match, the biometric authenticator retrieves the user’s password out of the device keychain and transmits it to the app.
  • The app authenticates the user based on this password.

Biometric authentication solutions don’t “replace” passwords. They just abstract away the complexity of manually typing them in. This means that if a user chooses a weak or common password, a cybercriminal can access the device or app simply by bypassing the biometric authenticator and using the password.

Biometrics Can Be Circumvented

Another misconception about biometric authentication is that it is somehow inherently more secure than a password. If a user’s mobile device is lost or stolen, the logic goes, cybercriminals will be unable to access it without the user’s fingerprint or facial recognition.

Not so fast. When Samsung launched its Galaxy S10 smartphone in 2019, one of the device’s major selling points was the phone’s ultrasonic fingerprint sensor, which was ostensibly more secure than traditional optical readers.

A security researcher defeated the sensor using a wine glass, some software and an LCD resin printer. Some people may have taken comfort in the fact that this particular method required expensive, specialized software and a printer with an accuracy level of 10 microns. That comfort didn’t last long: Last fall, a group of Chinese researchers demonstrated how to compromise the fingerprint lock on any smartphone, ultrasonic sensor or not, with $140 worth of equipment and an app that analyzes a photograph of a fingerprint.

Biometrics Can’t Be Changed

Perhaps the strongest argument against leaning too heavily on biometrics is that stolen passwords can be reset, but stolen fingerprints or other biometrics cannot. Further, if users properly secure them, passwords are quite difficult to steal. Biometrics are frighteningly easy to steal. Humans leave fingerprints everywhere, and our faces and even irises can be recorded, photographed or scanned from a distance without us ever knowing.

Cybercriminals don’t even have to follow targets around to lift fingerprints or take photos. Databases containing biometric data can also be breached. In 2019, a database owned by a U.S. Customs and Border Patrol contractor was compromised, exposing photos of 184,000 travelers. At least some of the images ended up on the Dark Web. Three months later, the developers of a biometric lock system used by the UK Metropolitan Police, along with banks and defense contractors worldwide, was found to be storing 23GB of fingerprints, facial recognition images, login credentials and other sensitive information on an unencrypted and unsecured database.

Reports of the Death of Passwords Have Been Greatly Exaggerated

Biometrics aren’t inherently bad, but they’re not a replacement for passwords, not now and not for the foreseeable future. This doesn’t mean organizations should ditch biometrics completely. Instead, they should be one part of a multi-layered approach to cybersecurity that includes, not replaces, comprehensive password security and robust identity and authentication management (IAM).

Avatar photo

Darren Guccione

Darren Guccione is the CEO and co-founder of Keeper Security, Inc. Prior to Keeper, Darren served as an advisor to NinthDecimal (f/k/a JiWire), the leading media and technology service provider for the Wi-Fi industry. Prior to that, Darren was the CFO and Co-founder of Apollo Solutions, Inc., which was acquired by CNET Networks (now CBS Interactive). Darren is an engineer and a CPA. He holds a Master of Science in Accountancy with Distinction from the Kellstadt School of Business at DePaul University and a Bachelors of Science in Mechanical and Industrial Engineering from the University of Illinois at Urbana-Champaign. Darren is an Evans Scholar and received the Distinguished Alumnus Award presented by The Department of Industrial & Enterprise Systems Engineering. Darren is a community board member of the Chicago Entrepreneurial Center (1871), which fosters the development of early stage companies, and an advisor to TechStars, a Chicago-based technology incubator for innovative startups. Formerly, Darren served on the Committee of Technology Infrastructure under Mayor Richard Daley. Darren has been named Cutting Edge CEO of the Year in 2019 and Publisher’s Choice Executive of the Year in 2020 by Cyber Defense Magazine’s InfoSec Awards. He is regularly featured on local and national news programs to report on cybersecurity events and topics. He serves as a panelist and keynote speaker in various technology events around the world.

darren-guccione has 3 posts and counting.See all posts by darren-guccione

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)