When a bad actor steals your password, you can change it. But what happens when they steal your fingerprint?
If you have a smartphone released within the last decade, there’s a good chance you’re using your fingerprint or a face scan to unlock your device. After all, why spend time manually typing in passwords and codes to gain access to your devices when you can unlock them in milliseconds by simply… being you?
Biometric technologies are generally considered the safest method of securing accounts and devices – and fingerprint scanners and face recognition used on modern devices are widespread examples. In fact, biometric security is only increasing in popularity, with the market value estimated to reach 55.42 billion by the end of 2027.
But what are biometric technologies, and how do they work?
What Is Biometric Security?
Biometric security is different from passwords because it uses a probabilistic system rather than deterministic – let us explain.
While a password requires a 100% match to let a user in, biometrics don’t quite work like that. Biometrics work by measuring the probability that the fingerprint, face, voice, etc., that’s attempting to gain access to that device or application matches the one stored within its system.
To put it simply – biometric security works by allowing the user access based on traits that are completely unique to them and are very difficult to change.
Biometric security technologies are generally split into two categories – physiological and behavioral. Most end users will be more familiar with physiological biometric technologies. These include fingerprint scanners, facial recognition, iris scanning, and hand geometry – and are generally more widely used than the latter. Behavioral biometric technologies are based on certain behavioral traits, such as keystroke rhythm, mouse traction, and voice recognition – and are more difficult to imitate than physiological traits.
Should You Use Biometric Security?
Biometric security is trusted and widely used by governments and high-security areas, as well as banks and other large organizations to protect sensitive data that hackers might want to target. In fact, the finance and technology industries as of 2018 were both the quickest to adopt and are still the largest users of biometrics.
It’s easy to think that passwords might be the safer choice, as they require a 100% match to gain access to the system – but this isn’t the case. In fact, 80% of hacking-related breaches are related to passwords. And after all, you can have a weak password, but you can’t have a weak fingerprint.
The vulnerability in using passwords and credentials to secure accounts comes from how easy they are to share and to steal. And because access is granted based on an exact match, anyone who knows the password – whether they have rightful access, or not – can log in. So how can organizations know that users entering credentials are really who they say they are?
Biometric security, on the other hand, provides organizations with greater assurance that the user is likely to be genuine. And as well as this, biometric technologies are constantly evolving, improving, and growing more reliable and secure. This means that, if a hacker does successfully gain access to an account secured by biometric data, the authentication system will evolve so that they’re unable to do it a second time. If a hacker gains access to a password-secured account, on the other hand, they can continue to do so until the user realizes and changes their password. Using biometric security limits the damage that an attacker can do by reducing the risk of a repeated breach.
But what are the risks of using biometric authentication to protect sensitive data?
The Risks of Using Biometric Security
There’s good and bad in everything – and biometrics are no exception. As with all things in life, using biometric data has its risks.
The fact that access is based on likelihood and not on exact matches is one of the reasons some may mistrust using biometric technologies. But as we explained above, they are safer to use than passwords.
Some risks of using biometrics include:
While uncommon – false matches are possible. These might happen when a system falsely recognizes an unknown individual and grants access. Apple even includes this as a possibility in their product support pages – but reassures that the probability of a false match while using Face ID is one in a million. Whereas the likelihood of someone cracking a four-digit passcode is far higher, at one in ten thousand.
These might occur when a rightful user is not recognized and falsely denied access to their devices or accounts. But this usually is more annoying than it is a serious issue, as most of the time there are alternative modes of access available if biometric data is not recognized.
No method of authentication is 100% secure. While difficult and often expensive to pull off, it is possible to replicate and clone fingerprints, faces, and other bodily features.
The scary part is that every day we might leave traces of our biometric data lying around in public without knowing it. Fingerprints can be swiped from used cups, pictures can be taken in public, and speech patterns can be captured from phone calls. And biometric spoofing has been proven to be successful on multiple occasions.
For example, in 2020, Cisco’s Talos Intelligence Group successfully cloned and created an artificial fingerprint using 3D printing. The fingerprint was collected using three real-life scenarios – direct collection using a mold, scanning the fingerprint via a sensor, and taking a picture of a print left on a glass. All three types of fingerprints collected were successfully cloned and used to unlock devices. The researchers achieved an 80% success rate when “hacking” into various devices – you can watch the video here. The process, however, is described as incredibly time-consuming and complicated.
Other examples include an Apple Face ID hack by creating a human-like mask, pupils tricking their biometric attendance system using artificial fingerprints, hackers tricking the galaxy iris scanner using an artificial eye, and researchers at the University of North Carolina using 3D models and VR technology to trick facial recognition systems.
The Verdict: Are Biometrics Safe To Use?
Overall, yes. There’s no reason why the average person or business should feel uneasy or unsafe when using biometric security. Despite the risks of false matches and biometric spoofing, experts still consider biometrics the most secure method of authentication.
As evidenced by Talos in their fingerprint hacking experiment, the level of complexity required to be able to successfully replicate biometric information makes stealing biometric data a far less desirable or viable option than simply stealing credentials. Passwords will always be easier to steal – so why would cybercriminals turn to biometric spoofing while passwords are still widely being used?
As well as this, even if a criminal were to steal your device and attempt to gain access using biometrics, most vendors implement limits on the number of attempts that can be made to log on using biometrics before the user is prompted to enter their password. For example, Apple limits this to five attempts, whilst for Samsung devices the limit is fifty attempts. For corporate biometric authentication technologies, organizations will often wish to set these limits to ensure greater security.
Criminals are far more likely to try to break into your device by cracking your passcode than by replicating your biometric data.
While for the average business, biometric security provides an extra layer of security, we generally wouldn’t recommend relying solely on biometrics to protect devices and accounts. Especially if you’re a high-profile target for cybercriminals or are engaging with particularly sensitive data, you need to rely on multiple layers of security alongside biometrics, and never just one method of authentication.
The best way to secure your devices and accounts is by using a strong multi-factor authentication (MFA) solution. MFA works by requiring two or more methods of authentication before allowing the user access – for example, a password followed by a code generated by an authentication app, or face recognition followed by a passcode. This way, even if a password or piece of biometric data were compromised, a criminal still couldn’t access your accounts or devices without also being able to pass the second or third modes of authentication. Think of it as a backup – a failsafe.
So, while biometrics are generally considered safe and secure by experts, so long as technology keeps evolving, cyberthreats and hacking methods will evolve alongside it. Trust your biometrics – but don’t solely rely on them. And above all, keep your data safe online.