The good, the bad and the ugly of biometric authentication technology

Biometrics provide a quick and reliable way to identify and authenticate people by their unique physical characteristics. But does it help fight threats like cybercrime, and what does it mean for privacy?

Share article

body recognition eye

Imagine never having to manually log in again or remember the credentials for a hundred different online accounts. Or, you turn up at work and get back home without having to unlock a single door. Perhaps you need to pay a visit to the local pharmacy and pick up a prescription, but instead of having to wait in line, it’s discretely deposited in front of you without needing to talk to anyone.

Now imagine walking into a store and being greeted by a disembodied voice that doesn’t only know your name, but also the sort of things you like to buy. Things are starting to sound a little disturbing, even if we’re already well-accustomed to personalized advertising on the internet. But it gets worse – imagine being flagged as a criminal until the police figure out your arrest was due to a 92 percent margin of error.

Biometric identification no longer belongs to the realms of science fiction. It’s part of the technologies that are defining the future of cybersecurity and wider crime prevention tactics. Already, fingerprint scanners are standard on mid- to high-end smartphones. That’s the good side. As for the bad side: things like face, fingerprint, iris and voice recognition can also be considered tools of state authority; an all-out assault on personal privacy. But whether we like it or not, biometrics are here to stay, so we may as well make it useful in protecting sensitive personal or business information.

The good: simplifying and securing access to digital systems

There’s an average of 130 accounts associated with every email address. That’s a whole lot of usernames and passwords to remember. It’s hardly any wonder that so many people reuse the same passwords for most, if not all, of their online accounts. To make matters worse, a lot of people also favor simple, easily memorable passwords, such as names of pets or children. Not only are these relatively easy to guess – a brute-force hacking program can usually find them in mere seconds. Then, there’s the constant threat of social engineering attacks, where criminals attempt to dupe victims into giving away their login credentials over email or through a malicious website masquerading as one belonging to a legitimate organization.

We have a password problem, and compromising on digital security is not an option, especially for businesses, which routinely handle sensitive information belonging to themselves and their customers. Instead, they’re increasingly turning to multifactor authentication (MFA) to add another layer of security that’s far harder to compromise. Chances are, you’ve already used it for things like online banking, or whenever you log into your email from an unrecognized device. Even after you’ve entered your password, the system will ask you to verify your identity with a one-time security token, such as a code sent by SMS or a disconnected token generator. But there’s another method that’s rapidly gaining ground – biometric identification.

Many high-end smartphones and business-grade laptops already feature fingerprint scanners, and facial recognition apps are an emerging technology that’s steadily making its way into the consumer market too. Other less common biometric factors include irises, palm veins and prints, retinas and even DNA. What makes biometrics different from other authentication methods is that they’re inherent to the user, which means they can’t be compromised by your average social engineering scam. It’s also much more efficient to look at a camera instead of manually entering login information or risk saving it on a potentially unsecured device.

The bad: there’s no such thing as a fool-proof system

Biometric identification is highly effective because we all have distinct biological characteristics which can’t easily be faked or exploited – although there are exceptions, such as criminal cases featuring identical twins. Actually, that’s something of a myth – while biometrics may seem secure on the surface, that doesn’t make them foolproof. While a password is something that only its owner knows, your biological traits, for the most part, are very much public. You leave your fingerprints everywhere you go, your voice can be recorded and your face is probably stored in hundreds of places, ranging from social media to law enforcement databases. If those databases are compromised, a hackers could gain access to your biometric data.
body recognition
There’s no such thing as a system that’s 100 percent secure, and there never will be. Any kind of digital data can be hacked and misappropriated. And, contrary to popular belief, it can even be faked. Just a day after the release of the iPhone 5, which featured the TouchID fingerprint scanner, a German hacking group managed to create a fake finger to unlock the devices. Sure, the technology has improved in the past seven years since that happened, but there’s a big difference between improvement and perfection. Five years later, the same hacking group managed to crack the iris recognition in the Samsung S8 simply by placing a contact lens over a high-definition photo of an eye.

The ugly: If you’re hacked, there’s no going back

The fact that biometric data can be hacked can have far wider consequences, some of which are extremely worrying from both a security and privacy standpoint. If your password is stolen, then you can usually just reset it and choose a new one. If a hacker has a photo of your iris, you can’t replace your eye – unless of course, you’re Tom Cruise’s character John Anderton in Minority Report, where he has an eye transplant to hide his true identity. Now, while hackers usually prefer less conspicuous methods than stealing body parts to access secure systems, it’s a fact that biometrics can be abused and, once they are, there’s no going back.

Although biometric technologies are getting better all the time, there will always be a margin of error, which presents concerns for both security and privacy. The security concern is that, like any other identification method, biometric identification isn’t perfect and never will be. From a privacy perspective, you could be misidentified as a criminal, and there’s a good chance you’ll remain in the system long after the misunderstanding has been resolved. Another issue is that, since they’re created by people, biometric recognition is innately biased. Most facial recognition systems, for example, are primarily trained with images of white males, which results in higher margins of error for women and people of color.

This uglier side to biometrics presents serious challenges for businesses, since they need to store biometric data as securely as possible. If the system is hacked, those affected will face an increased risk of hacking for the rest of their lives. In other words, they’ll never be able to rely on biometric security again. This gives businesses, as well as governments and other organizations which rely on biometrics, enormous ethical and financial responsibilities. That’s why it’s important to consider where the biometric data is stored and to give its owners control over how it’s used.

A secure future without compromising privacy

There’s a line between security and privacy that shouldn’t be crossed. The biggest challenge lies in figuring out exactly where this line is. Government-mandated regulations for the storage and use of biometric data are already being developed to protect personal privacy and security. For example, the Supreme Court of Illinois, US, recently ruled unanimously that employees should retain the right to know how their biometric data is collected and used, and that companies should only do so with opt-in consent.

That biometrics are, for the most part, immutable, is both its biggest advantage and worst drawback. While it potentially provides an effective additional layer of security, it can also be a single point of failure – with potentially disastrous consequences. There’s no denying it offers convenience and a high level of security, but it also paves the way for oppressive regimes and technology companies alike to infiltrate yet another aspect of our personal lives. With privacy being the concern of the century, businesses must be mindful about which technologies they choose to adopt and how.

This article represents the personal opinion of the author.

Secure your business

Reducing risk isn’t just about protecting your data. You need an end-to-end solution for cybersecurity.

About authors

Produced by the editorial team for Secure Futures by Kaspersky magazine