Currently the violation of data and accounts is the order of the day. One of the most used security methods is the use of a username and password. However, this solution is not always as effective as we want it to be, and there are other options available. One of them is biometrics, which can be, for example, the use of fingerprints, although it may seem more secure than a traditional method, it also has its drawbacks. Today in this article we are going to explain the strengths and weaknesses of the use of biometrics.
The first thing we are going to do is briefly know what biometrics is, and its most common access methods. Then we will talk about biometric authentication, which continues to grow by leaps and bounds with the intention of replacing passwords. However, as we will see later, it also has its own drawbacks.
What is biometrics and most popular access methods
Biometrics could be defined as the taking of standardized measurements of living beings to identify them. Also, within information technologies (IT) we have biometric authentication , which is the application of mathematical and statistical techniques on the physical or behavioral traits of an individual, for their identification. In short, it is a way of verifying the identity of that person.
The most common methods to perform biometric authentication are the following:
- The fingerprint.
- Iris recognition.
- Facial recognition.
- Vascular biometry based on the extraction of a biometric pattern from the geometry of the finger vein tree.
- Voice recognition.
- The writing and the signature.
In the identification process, biometric traits are compared with those of a previously saved set of patterns. It should be noted that it does not imply having to know the identity of the alleged individual. What is done is to take a new sample of biometric data from the new user, and compare it with the patterns already registered.
Traditional security systems are failing
Today, data breaches are steadily increasing. This has resulted in the traditional password-based system not being at its best. The main reason these security breaches are occurring is largely due to the reuse of passwords. The solution that some companies have chosen is to replace these passwords with biometric authentication.
As a result, biometrics has risen as an authentication solution superior to passwords. However, biometrics also has its problems. We’ll review them thoroughly, and then see that it presents a significant set of challenges.
Biometrics cannot be replaced
The great drawback of biometrics is that once a biometric access is compromised, it cannot be replaced. Let’s give an example to make it clear: let’s imagine for a moment that our facial data of face, fingerprint or iris were exposed. In that sense, if a person’s biometric information is compromised, any account that uses this authentication method is at risk, as there is no way to reverse the damage because it cannot be changed.
Therefore, since biometrics is forever, it is very important for companies to make it as difficult as possible for cybercriminals to crack the algorithm where biometric information is stored. One way to do this would be by using a robust hashing algorithm, and not storing any data in plain text.
Exploitation of facial biometrics
Every day we are more exposed on the Internet, and sometimes we do not realize the consequences. For example, we could obtain facial information online through a photo that has been published on a social network or on any website. One thing to consider is that, if we compare them with passwords, they will always be private unless they are stolen.
Thanks to that photo, with the appropriate technology we could replicate the biometric parameters of a person’s face. In addition, it could not only affect facial recognition, it could also affect voice (which could be taken from a video), or other systems.
The limitations of current equipment
The problem is that, although we have quite a few devices with biometric scanners, many of the ones we use regularly do not support biometric authentication. Biometrics are not common on desktop or laptop computers right now, as they generally do not include biometric readers. Also, another factor that we must take into account is that when logging into a website with a browser, the use of biometrics is still very limited. In this sense, until computers and Internet browsers are compatible with biometric authentication, it has very few possibilities.
As for smart devices such as smartphones with Android or iOS, they have biometric authentication in which the authentication credentials are stored locally. However, this approach in which sensitive biometric signatures are not stored on servers, excludes us from the possibility of using it elsewhere. In the case of wanting to implement it, we would have to re-register with credentials such as a username and password. Furthermore, before biometric authentication can be re-enabled, the new device should also have that technology. In summary, for biometric authentication we will need a different model where the biometric pattern is stored on a server.
The problem of biometric changes
Another thing to keep in mind is the possibility of biometric changes . The possibility of changes in biometrics is a fact that can affect workers. A burn on a finger can affect our fingerprint, or an injury that disfigures the face can be some examples. This is certainly a significant potential problem. We refer to the case where biometric authentication was the only authentication method in use and there was no backup available.
You also have to talk about phishing threats . Cybercriminals have managed to get scanners to validate fingerprints by using fingerprint templates or replicas, or the faces of valid users. Although this technology has improved a lot, it is still far from perfect.
What should we do if a biometric violation occurs
In the hypothetical event of a biometric authentication breach, we could be in a lot of danger. The moment the attacker gains access, they can change the logins for these accounts and lock the worker out of their own account.
For this reason, the action of the company is very important, which has the responsibility to immediately alert users to take appropriate measures to minimize the risk. The moment a violation occurs, both companies and their workers should immediately turn off the biometrics on their devices. They should then revert to the defaults which is generally the use of a username and password based credential system.
The best way for organizations to ensure their security is to take a layered approach to security. The ease of use of biometrics makes it an attractive option for both businesses and users. However, if we depend only on biometric authentication, it is a high-risk strategy since the inconveniences and risks mentioned above must be taken into account.