Why biometrics are less secure than passwords

Many technology pundits talk about biometrics as the ultimate authentication solution – the technology that will make the 'imperfect' password obsolete. Despite the hype, most companies are approaching with caution. In fact, CEB found that there are varied degrees of biometrics adoption globally, as around 20 per cent of firms have actually deployed the technology.

A big reason for low adoption could be that they are less secure. And while many are touting the security of biometrics, there are four issues to consider when evaluating the technology.

Biometrics: Already hackable?

First, biometrics will be easier to hack than passwords. Not only are they subject to all of the current attacks that work when hacking passwords, but biometric data were never designed to be secret. Most people make sure not to divulge their passwords, but it’s difficult to imagine a world where everyone wears gloves constantly to avoid leaving fingerprints.

Attackers have already figured out how to bypass many of today’s biometric solutions. Jan Krissler, a famous hacker, used high-resolution photos of Ursula von der Leyen, Germany’s Minister of Defence, to beat fingerprint authentication technology. In a more famous stunt, Krissler also beat Apple’s TouchID technology just a day after its release by creating a copy of a fingerprint smudge left on an iPhone screen and using it to hack into the phone.

Pundits promoting biometrics always point to improvements in the technology; however, as security solutions become more sophisticated, attacks will as well. For example, realising that fingerprint scans offered insufficient protection, in 2015 Barclays progressed from using normal fingerprint scans to adopting technology that scans for the veins in users’ fingers. Despite this innovation, Swiss researchers beat the system using image-processing techniques in the same year.

Users are able to safeguard passwords by taking precautions like limiting sharing through channels they distrust and not reusing the same password across sites. Containing the spread of biometric information is a lot more difficult. It might be easier to swipe a finger than type in a code, but this convenience comes at security cost.

Big repercussions

Second, a stolen biometric has much greater repercussions for users than a stolen password. A biometric reveals a part of the user’s identity that is intensely personal and could be used to falsify travel and criminal records and legal documents.

In a recent U.S. Government breach, fingerprints of 5.6 million and Social Security numbers of 21.5 million individuals were compromised. In response, an intra-agency group was created to investigate the possibility of resulting payment fraud and creation of fake identities. Although Federal experts have stated that the ability to misuse fingerprint data is limited in this event, its probability will undoubtedly grow in future breaches.

Lack of revocability

A third concern with biometric-based authentication is its lack of revocability, meaning that a biometric cannot be tossed away and replaced like a password or a credit card number. Rather, it is permanently associated with a user. Recent experimentation with biometric template techniques like salting and one-way encryption reduce the collateral damage. But just as with passwords that are reused across sites, there will always be a poorly designed system that can result in a leak of biometric credentials, ruining them for all other systems. Despite advancements in security controls, one’s identity, which is invaluable and irreplaceable, will always be at risk.

Biometrics aren't for everyone

Lastly, biometrics don't suit everyone. Consumer products, like mobile technology, will likely continue to use biometrics because of the premium end-users put on convenience, but enterprise products may opt-out to ensure maximum information security. CEB data show that 50 per cent of organisations haven’t evaluated biometrics for their business and of those that have, only 16 per cent are planning to deploy them over the next two years.

In the coming years, we expect an intensified arms race between consumer products companies and hackers for supremacy in the space of biometric technology. Each new attack will undoubtedly cause companies and users to reflect on their willingness to trade off security for convenience.

Jeremy Bergsman and Daria Kirilenko, CEB

Image source: Shutterstock/Carlos Amarillo