Biometrics really are (in)secure

An increasing number of companies are beginning to use biometric systems to protect sensitive areas and information from competitors and cybercriminals. Biometrics is also becoming increasingly adopted in the private sphere. But how secure are fingerprints, irises, and other unique physical characteristics actually when it comes to using them as passwords or PINs?

If one thing’s for sure, passwords are annoying. Well, at least for those of us who don’t use 123456 all the time and who stick religiously to the security rules of always using really complicated unique passwords with loads of digits and special characters – and of course repeating this process for every single service we sign up to. Compared to all this, the idea of logging in using some physical characteristic sounds like a dream come true, offering a host of benefits.

  • Greater security: Biometric processes are based on the fact that everyone has unique, unchangeable characteristics, which can be used to identify the individual using electronic processes. These characteristics include your fingerprints, voice, signature, or your iris. This means that your actual personal physiological or behavioral characteristics are identified, and not just something that is up to you to choose – such as in the case of PINs and passwords. Physical characteristics are unique, plus they can’t be lost nor forgotten. The body itself becomes your ID, your biological password.
  • Convenience: Biometrics is simply practical to use. Instead of remembering, jotting down, and saving passwords somewhere or needing to carry around some form of ID, all you need to do is look at a camera lens or touch a fingerprint scanner. Setting up all the biometric technology is also a breeze.
  • Accuracy: Although biometric scanners aren’t 100% accurate (more on that topic follows), the technology works pretty well. The latest studies on fingerprint systems showed that single-finger tests were 98.6% accurate, two-finger tests were 99.6% accurate, and four-finger tests achieved an incredible 99.9% accuracy.
  • Costs: Setting up biometric systems may be expensive, but they’re cheaper to operate than standard methods. For example, no working time is lost having to regularly change or reset passwords. And companies can save millions if a biometric system prevents even just a single case of widescale abuse.

All biometric measurement procedures are based on the same principle: Prior to biometric authorization, the system gets to know the user by analyzing their characteristics and then generating a biometric pattern of them. This involves scanners and computers measuring the face, iris, voice, finger, or the entire hand. The system doesn’t store a complete image, just key characteristics. These templates are then stored on a server or a smartcard, and can then be used as a reference whenever someone needs to identify themselves. However, this is exactly where the cracks in the armor lie.

Weaknesses of biometrics

Despite the advanced technology, no biometric process is 100% secure. While the error rates are low (see above), the systems need to allow for measurement tolerances based on the fact that with all the different measurements involved, your finger, eye, or signature never deliver exactly the same data because your eye or finger may be at a different angle. This means only a rough match can be determined. Furthermore, characteristics that can be identified biometrically are constantly changing – through ageing, illness, injury, or just through what life throws at you. Nevertheless, good biometric processes have a high recognition rate, particularly if the system modifies the reference model dynamically every time after it has recognized the individual in question.

Cloning is an issue

What happens, though, if someone gets hold of a copy of your characteristics? It’s difficult, but not impossible. Jan Krissler – who also goes by his hacker pseudonym Starbug – has succeeded in duping virtually every biometric process out there. He pulled off his most spectacular coup in 2014 when he created a fingerprint of Germany’s Secretary of Defense Ursula von der Leyen based on a high-res photo of her. He even managed to fool the fingerprint sensor on an iPhone with a spoof fingerprint made from wood glue, and he used a fake hand made from beeswax to overcome high-security entry points that employ hand-vein scanners. If criminals manage to create a clone, one of the advantages of traditional digital security can’t be relied upon – to simply be able to change a password anytime, anywhere. PINs and passwords can be shared, but you can change them to protect yourself; biometric data based on unique biological characteristics can’t be changed. As such, a person must be able to make changes to their own data – until they do so, a lot of damage can be done.

On top of this, biometrics relies on databases – and these are vulnerable to attack. Here’s an example: In the US a database containing the details of government workers was hacked in 2015 and over five million fingerprints stolen. Furthermore, the effects can be forever. Compared to password hacks, in principle the stolen biometric data can be misused for an entire lifetime if it falls into the wrong hands. The problem of not being able to just change this data raises its head once again if hackers steal biometric data and it ends up on the internet because of a database leak.

Conclusion

While biometric processes are more secure and offer additional advantages over other systems such as passwords, even they can’t guarantee 100% security. As such, they shouldn’t be used as the only solution, particularly in the business sector. Ideally, they should be used to supplement existing systems.

This post is also available in: German