Biometrics are an incredibly convenient way to authenticate users. All they have to do is look at their phone or touch their device, and they are ready to go. People can’t forget their biometrics like they can forget their passwords. They can’t hand over their biometrics in a phishing attack. They can’t lose their biometrics like they can lose a hardware security token.
But that doesn’t mean that biometrics don’t have their own flaws. We aren’t going to tell you to never use biometrics, but just to acknowledge that biometrics—like all authentication mechanisms—have their problems. We need to acknowledge these and work around them if we want to provide robust security.
As an example, if passwords aren’t hashed appropriately prior to storage, it presents a huge security risk. Similarly, if a biometric authentication system doesn’t have mechanisms to detect presentation attacks, it leaves a significant security vulnerability. Whether a system uses passwords or biometrics, the security comes down to the specifics of the implementation.
There are many different biometric identifiers that can be used for authentication, including faces, fingerprints, irises, retinas and voices. Each of these have their own positives and negatives, but face and fingerprint scans are probably the ones we are most familiar with because they are more commonly deployed in consumer devices.
False positives and negatives
While biometric identifiers are generally unique to individuals, that doesn’t mean that the tools we use are foolproof. It varies between the type of biometric identifier and the technology used to capture it, but false positives and false negatives are a huge concern.
If a biometric system is susceptible to false positives, it means that other parties may be able to easily authenticate themselves and access your accounts. If false negatives are common, you may have trouble accessing your account.
Sometimes, a false positive can occur because another person—such as a twin or sibling—has similar features. But the biggest concern involves hackers somehow accessing a user’s fingerprint, iris or face, and then fraudulently using a copy to access their account. These are known as presentation attacks. For example, in 2019, someone managed to fool the Samsung Galaxy S10’s fingerprint scanner by taking a photo of a fingerprint from a wine glass, and then using a 3D printer to produce a copy.
Presentation attacks can be mitigated through presentation attack detection (PADs) systems, which are various mechanisms that detect whether the person is actually present, and it’s not just a photo or some other form of deception. A simple example involves having a border agent watching over the iris scanner at the airport. If someone tries to hold up a picture of an iris to trick the system, the border agent will detect it straight away. The leading biometric authentication systems generally have more technologically sophisticated means of detecting whether the person is present.
Biometric identifiers aren’t secret
You would never write your password on your forehead because your accounts would be compromised straight away. You keep it a secret, so that only you can access your account. It’s really hard to do the same with your face, because people see it all the time. There are countless photos of your face on the internet, while an identifier like your fingerprints can be retrieved from things that you’ve touched.
The fact that biometric identifiers aren’t secret is why presentation attacks are such a huge threat, and why we need PADs to mitigate them. One of the most common examples of face authentication is Apple’s Face ID. It helps to mitigate presentation attacks by projecting thousands of infrared dots onto the user's face and then reading the pattern with an infrared camera. This prevents attackers from being able to simply hold up a picture of their target to gain access to their device.
Another of Apple’s security measures involves only allowing authentication when the user’s eyes are open and looking at the device. This helps to stop an attacker from trying to unlock a sleeping user’s device. These mitigation strategies help to show just how important the implementation is for biometrics to be used safely.
Privacy
Biometric identifiers such as fingerprint, face or iris scans should never be stored for verification. Instead, only a cryptographic representation of the scan should be stored. This helps to preserve user privacy and mitigates the security risks if the database is ever compromised.
There are a whole bunch of privacy issues associated with using biometrics to identify people at borders, protests and other places, but we will save that discussion for another day.
Law enforcement
One aspect that is often overlooked is how the authorities may view biometrics differently to knowledge-based authenticators, such as passwords or PINs. This is jurisdiction dependent, but in the U.S., courts have determined that passwords and PINs are protected under the Fifth Amendment, so users cannot be legally compelled to provide them. This does not necessarily apply to biometric authenticators, and people may be compelled to unlock their phones with their fingerprints.
While these concerns are legitimate, whether you worry about them or not depends on your threat model. If you’re a good, law-abiding, tax-paying citizen that doesn’t antagonize the wrong powerful people, these concerns might not be that important to you. You may value having convenient and relatively secure access to your devices over some scenario that is never likely to eventuate. But if you’re an activist, a journalist, or anyone else who ruffles the wrong feathers, you may want to play it safe and stick to passwords and PINs.
Is biometric authentication secure?
The security of biometric authentication is entirely dependent on the implementation. Given the issues surrounding biometric authentication, it’s generally best to combine it with other authentication factors whenever we are securing anything important.
When it comes to your own device, whether you should use biometric authenticators or not will depend on your threat model. If you are worried about being compelled by the authorities to unlock your device, biometrics can be a bad idea. If you think that an attacker would be willing to cut off your finger to access your device, you may also want to reconsider. But for most people, and especially people who would otherwise use weak passwords or PINs, biometric authentication can be a convenient way to protect their devices.