Biometric technology has been on the rise as it promises to make the authentication process more secure and convenient. Unlike passwords and key cards, biometrics are something you will always have, can’t share and can’t forget. This makes the biometric approach convenient and at the same time it has lower password management costs.
Biometrics also are said to be difficult to steal or hack; difficult, but not impossible.
Any technology can have loopholes that can be exploited, and that’s why you need to understand it well and take precautions if you decide to use this approach.
The use of biometrics is not new, but its increased presence in the public domain such as banks makes it a topic of interest.
To help us understand the need to tread carefully, let’s first have a peek at the latest biometric security technologies.
New Trends in Biometric Security
Biometric authentication is becoming popular for digital payments, logging in to banking systems and even on smartphones. New trends in biometrics security include:
- Voice recognition: the human voice is used to create voice prints to be used for user authentication in a voice ID system.
- Face recognition: 3D face recognition is another new development that uses sensors to identify the shape of a person’s face. This is done by using facial characteristics such as the nose, cheeks, chin and contours of the eye sockets.
- Mobile biometric technology: mobile devices also have joined the bandwagon, and manufacturers are now fitting them with biometric sensors. It is also possible to attach portable biometric-sensing equipment using a USB cable.
- Biometrics on the cloud: cloud-based solutions have been developed to speed up the identification process. Since users don’t have to spend so much on necessary applications, hardware and infrastructure, this becomes cost effective.
How Secure is the Biometric Approach?
Biometric security is increasingly being used as a preference to passwords, but how safe is this approach? Fingerprints may not be as secure as they are said to be. Consider this, some researchers were actually able to generate fake fingerprints that they called DeepMasterPrints. These fingerprints were generated using a neural network technique to create artificial fingerprints that can work as a “master key.” This goes to show how a system using fingerprints for security can be vulnerable to dictionary attacks using the created MasterPrints.
There are many people posting their pictures online on social media. Unfortunately, once you do that your images are no longer private. This means that a face can easily be captured from the internet.
Retina scans are considered extremely reliable and accurate more than the iris scan. However, it is the least common as it’s considered to be intrusive.
The use of biometrics is a great development toward security concerns, but it raises privacy issues. Keep in mind that biometric information can easily be harvested – from a distance and without your knowledge. The cloud also is another reason to be concerned. Although biometrics are effective in enforcing security, the data collected has to be stored somewhere. How secure are the databases that store this information? Of course, this increases the possibilities of a breach.
Some reports made public include a potential hack for the palm vein scanner and a claim by a research team at vpnMentor about a leak of millions of fingerprints from BioStar 2, an app built by Suprema. Whether this and other similar claims are true or not, it just goes to show how vulnerable biometrics data can be. It also won’t be long before marketplaces emerge on the Dark Web for actual biometrics.
Remember that unlike passwords, you can’t change your biometrics. If someone had access to a biometrics database, then they would have access to sensitive data.
Another reservation involves the right to privacy for your biometrics. It’s possible for your biometrics to be collected without your informed consent. For instance, in stores where face recognition is used to identify potential shoplifters or to survey shoppers’ behavior. Recently, the FaceApp Challenge created by a Russian company had its share of controversy. Although said to be purely for entertainment, it also means that no one has control over what the company collecting the data will do with it.
Businesses face the potential risk of getting sued by their own employees. This is because there are some locations that already have a biometric privacy act law. In the United States, the Illinois Biometric Information Privacy Act (BIPA) allows users to sue under this law to protect their privacy.
Since cyber criminals are always working on hacking new security systems, it’s crucial that users of these systems remain cautious. One of the ways to stay safe when using biometrics is the use of multi-modal authentication, which requires input from more than one biometric device. This will help overcome some loopholes, such as the use of copied fingerprints or stolen voice and facial prints.
Luckily, with advances in artificial intelligence and machine learning, biometrics can be enhanced. Users can be scrutinized using their online behavior. Since people tend to be creatures of habit, a behavior-based system can develop a more complex user profile. The tracked behavior will help to tell a genuine user from a potential threat.
Since it’s difficult to know if your biometrics have been stolen, it’s best to take precautionary measures that could include:
- Avoiding unnecessarily sharing personal information, such as the bank account numbers, date of birth or Social Security number
- Paying close attention to your bills and financial statements
- Watching out for unauthorized transactions by reviewing your credit card and bank statements.
- Using other security features on your mobile device.
- Avoiding using public WiFi. It is also important that you keep your sharing and firewall settings updated.
The biometric authentication is not a silver bullet. Technically, biometrics are not secret and have similar cyber risks as passwords, only they are exploited differently. Whenever a new technology becomes pervasive, there are individuals who will definitely try to figure it out –especially because these technologies are used to access financial services and private data.
In the digital world, we cannot assume complete security. The best you can do is work with known credible vendors and stick with providers who comply with both federal and state data privacy regulations. Lastly, use technologies that are tried and tested.