Skip to main content

Biometric authentication is not a security panacea

(Image credit: Image Credit: Flickr / AMISOM)

Password management vexes both individuals and businesses alike. Despite the overwhelming majority of internet users knowing better, weak passwords and password recycling remain rampant. Over half of respondents to a recent survey admitted to reusing passwords across personal and work accounts, and the latest Verizon Data Breach study revealed that about 80 per cent of data breaches can be traced back to stolen or weak passwords.

Frustrated with fighting what appears to be a losing battle to get employees to change their password hygiene habits, organisations are looking to move towards a utopian “passwordless future.” One of the most popular password alternatives is biometric data, such as fingerprints, iris scans, and facial recognition. Biometric authentication is being used to unlock everything from mobile phones to bank vaults, and the global market for this technology is growing rapidly; it’s expected to exceed $59 billion by 2025.

Too bad it’s not making anyone more secure. The first obvious crack in the biometrics armour appeared quite recently. Security firm Suprema, which serves law enforcement, banks, and defence contractors worldwide, was discovered to be storing 23 gigabytes worth of fingerprints, facial recognition, and other PII on an unencrypted and largely unsecured database.

These revelations have begged the question, now that the Holy Grail was set to usher in the passwordless future has been breached, what happens? We can reset a stolen password, but we cannot reset our fingerprints or our faces.

It’s time to clear up some fundamental misunderstandings about how biometric authentication systems work and what they can and cannot do.

Biometric authentication is not “passwordless.

The biggest area of confusion is that most people think that biometric authentication is inherently secure and much “better” than a password -- but passwords are part and parcel of biometric authentication.

When an end user touches a fingerprint pad or scans their iris, the biometric authenticator performs a “true-false” query to determine if the user is allowed in. From there, the biometric authenticator pulls whatever password the end user has saved for that system or app out of the device keychain and sends it to said site or app. The password is still in use; the end user just doesn’t see it.

Biometric authentication is convenient for end users, but it’s not “more secure” than typing in a password, and it’s definitely not the same thing as encryption. Biometric authentication does nothing to secure users’ passwords, help them generate strong passwords, or prevent someone else from logging into their account with a stolen password -- or, if their biometric data has been breached, a stolen fingerprint.

What can companies and people do if their biometrics data is stolen? The cold, hard truth is that nothing can be done. We can reset our passwords if they’re stolen; we cannot reset our fingerprints or our faces. No one has a good solution for this problem, which is why there are no systems that use biometrics as the sole or primary method for authentication. Notice that banks don’t let users log into their accounts with their fingerprints or faces as a single factor of authentication.

Password management + MFA provides maximum security

Instead of looking towards biometrics or a future magic technology that will save us all from the drudgery of password management, organisations and consumers should use password management software to generate and store strong, unique passwords for every account. They should also secure those accounts with multi-factor authentication (MFA). The ideal MFA system employs a unique, strong password as the first authentication factor, and a time-based one-time passcode (TOTP) device or software app as a secondary factor. In this system, biometric authentication is not an issue, as the biometrics are pulling the strong password.

Not all forms of MFA are equally strong.  Among security professionals, it is well known that SIM takeover attacks have been successful in diverting MFA codes to an attacker's phone when text messages are the method of delivery.  Since many services rely on text messages for account recovery procedures, cybercriminals can use this feature for launching their attacks. Therefore, it is recommended to use software apps to generate TOTP codes instead of text messages, when the option is available. If text message delivery is the only format supported by a particular site or service, the user should take protective measures by contacting their mobile phone carrier to ensure that a PIN code is required for all account changes. Mobile "burn phone" apps are also available that provide disposable virtual phone numbers to receive one-time passcodes, and consumers could use these instead of their real numbers.

Many sites are now also starting to support the use of hardware-based security keys for MFA, such as YubiKeys. Hardware security keys are the strongest form of MFA, but they do require carrying around a physical device. Many sites also provide software-based TOTP codes as a backup method when the user doesn't have their security key on hard.

It’s also a good idea to use a service that will alert you if one of your accounts is part of a public data breach. Let’s say you use a strong password to protect your bank account. If that password is already part of a public data breach, it won’t matter how strong it is. MFA that employs a TOTP protects you here as well. Even if your strong password is stolen, even if your biometric data is stolen, without your MFA code, nobody can access your account.

That may not be a panacea or a Holy Grail, but it will provide maximum protection.

Craig Lurey, CTO and Co-Founder, Keeper Security, Inc

Craig Lurey is CTO and Co-Founder of Keeper Security, Inc., where he leads software development and technology infrastructure.