These days biometric sensors are part of just about every portable device. Fingerprint scanners are commonplace on laptops, phones and tablets. And with low cost iris scanners gaining popularity, we are likely to see more biometric tech in consumer-grade equipment. But for all their convenience, they aren’t as safe and robust as you’re being led to believe.
Sure, passwords are cumbersome and annoying. Remembering complex ones isn’t everybody’s idea of a good user experience. Passwords have gotten a lot of bad press but they are still one of the strongest and most economical forms of protection we have when used appropriately.
I guess it depends on where you’re travelling, but a vast majority of my overseas trips, particularly in Africa and the Middle East, have required me to scan my fingerprints at immigration. This means that the country into which I’ve entered has now a record of my biometric data stored on their systems. It’s something we’ve grown accustomed to but until recently this type of treatment was reserved only for criminals.
If you’re the owner of an e-ID or e-Passport, chances are that the embedded chip contains your biometric modalities, such as fingerprint, photo or iris. Similarly, if you’ve ever been tagged in a photo on social media, it is more than likely that your facial biometric data is known in the public domain — think Facebook or LinkedIn.
The Samsung Galaxy Note 7 for example, with its integrated iris scanner, shoots out a beam of infrared light to detect and authenticate the iris. “Samsung says it’s impossible for the sensor to be fooled by high-resolution images of your iris” because the infrared signature would be different. Whether it’s impossible to circumvent or not remains to be seen — no pun intended — time will tell.
Now ask yourself, if some organization has access to all of your biometric data, be it Facebook or a Government, how safe is your data? And how confident are you that your biometric data isn’t shared between various parties? While biometric authentication is convenient and quick, it does create a massive security risk for anyone who relies on it as their only means of authentication.
Within PKI, we have the ability to revoke compromized certificates. Similarly, when a password is lost or stolen, all that’s required to reestablish security is a password reset. In both these instances the process is relatively simple and well understood.
The question we should be asking is: how does a person revoke or reset their biometric data? At present, this is not possible. You only have two eyes, ten fingers and one face. Short of plastic surgery, once compromized, there is no way to reset any of your bio-features.
I’m not a big fan of mass biometric data collection, and the trend is worrying me. Private biometric usage on a private device is perfectly acceptable when paired with secondary authentication method, such as a boot/encryption pin or password. However, entrusting your biometric data to a commercial entity is just silly. You’re unlikely to ever know whether (and with whom) your biometric data is being shared.
Furthermore, the fact that your e-ID or e-Passport contains some biometric data, it is fair to say the government (and social media) has access to it too. Assume that all of your biometric data is already known. Remember, fingerprints and iris scans can always be taken without your permission or under duress. Good luck trying to pry a password out of my brain.