BLOG: Biometrics – the answer we’ve all been searching for?
Biometrics is an intriguing new prospect in the world of security. After all, who wants the burden of remembering an eight digit password that contains one capital letter, one number and one symbol?
We all desire the convenience and protection of logging on to our devices with just a brief scan of our unique facial features. Isn’t that what we were promised in the futuristic movies we saw as kids?
While tech giants like Apple and Samsung started the process of turning advanced biometrics into a mainstream reality, we believe the security logistics behind it are worth a second look.
What is biometrics?
Biometrics is something about you that can be measured. It can be a physical or behavioural attribute and constitutes something unique. We use biometrics all the time without thinking about it.
This happens in the blink of an eye when you meet someone. Your brain will instantly use the visual appearance to recognise a friend and then continue to further confirm their identity as soon as they speak (it’s the original two-factor authentication).
What we all do instinctively is a real challenge for computers and smartphones to learn, but if we can make biometrics quick, easy and natural to use, then we are onto something that will bring security standards to the next level.
Why is it effective?
With security and encryption the longer the ‘key’ the harder the ‘code’ to crack. Most people struggle to remember long PIN codes or highly complicated passwords. So in ourselves we are limited in storing and recalling strong but memorable and convenient passwords.
The promise of biometrics is that the ‘key’ is already long and doesn’t need to be remembered or written down. It’s part of you already so it’s always on-hand (excuse the pun) for use.
Out of all the biometric systems in use today, fingerprint scanning seems to be winning the race for widespread adoption. Apple’s TouchID is the most widely deployed consumer implementation of the technology, making unlocking your smartphone very easy and streamlining things like payment authorisations.
Fingerprint scanners aren’t new however. If you’ve been to the US you’ve probably have your finger scanned at passport control. Likewise, if you’ve been to Disney World you’ve probably stuck your finger into a scanner (actually, Disney World isn’t scanning the print, just measuring your finger). The point is, that using your finger is quick and easy and we are accustomed to doing it.
Your desktop or laptop computer has been able to grab a high-quality image or scan your fingerprint for quite some time now and most modern smartphones have the horsepower and hardware to do the same.
Add to the mix various other smartphone features – like the accelerometer and gyroscope, plus the heart-rate monitor on your wrist – and you’ve now got all the bits in place to make personal identification happen quickly, easily and constantly.
So we already have the power in our pockets to make use of advanced biometrics so why are we still stuck with usernames and passwords?
As you can imagine, there are some kinks to work out.
Stolen biometric identify
You can’t change your fingerprint! Once it’s lost, you can never trust it. In fact you need to mark it globally as “un-usable”.
Some biometric data is easily captured without you knowing it. A photo of your face for example, a high-resolution image of an ear pattern, lifting your fingerprint from a glass or grabbing a hair. There are techniques for replicating this data. So actually, compared to a password, that should only ever really be stored in the depths of your mind, biometric data is a little vulnerable.
Storing your measurements
So to match the convenience of a password used with a cloud software service, your biometric data would need to be moved off a device and stored so that you can log in from anywhere. Now all of a sudden, some your most unique and personal data is stored on who-knows-what-and-where. Does that make you feel comfortable?
Losing this sort of data has already happened. In September 2015, the Office for Personnel Management had 5.6 million fingerprints stolen. That’s a lot of people who potentially can never use a fingerprint scanner system ever again.
India has a hugely successful biometrics program with a database of over a billion fingerprints and iris scans. Imagine the impact of having all that data stolen.
Some people argue that the promise of absolute authorisation via biometrics also has a negative implication and that’s one of privacy.
For example, if a person wants to mask their identity while making online purchases they can use an obscure username and password to cover their tracks. By contrast, using a fingerprint pretty much pins the owner to the online purchase or activity. It’s irrefutable.
The argument is simply that sometimes, for some reason, you might like to make a purchase or use a service with a degree of anonymity. But using a biometric marker erodes that right. It’s a cash vs credit card argument and boils down to trust or the lack of it.
2017 and beyond
All things considered, it seems the industry needs to continue developing biometrics and smooth out the bumps in the technology.
It’s wise to be cautious about companies and institutions building huge biometric databases because we don’t fully understand how they use that information. Rich resources can fall into the wrong hands or be used without care.
Think of biometrics as another great tool for security but let’s not throw away our passwords just yet.