Home Technology Cybersecurity Two common misconceptions about biometrics

Two common misconceptions about biometrics

FIDO Alliance

In a recent media update, Andrew Shikiar, the executive director and chief marketing officer of the FIDO (Fast Identity Online) Alliance discusses two common misconceptions about biometrics, notably: (1) that biometrics are insecure; and (2) that biometrics are easy to spoof.

Here is the article in full:

The surge in smart home integration is slowly taking over cosmopolitan Asia. By 2024, around 96.4 million households across the region are expected to get smart security systems to safeguard against home invasion and theft. 

The future smart home promises a seamless, personalised and device-free experience. As an example, the added security smart locks provide is gaining popularity among the working population, for whom the safety of aged parents and children are major concerns. The biometric digital door locks security combats the threat of intruders because only pre-identified people can enter. 

In addition to smart home innovations, the commercial application of biometrics is also being progressively rolled out in other industries, including in digital banking, building and facility security, and more. According to IDC, almost a third of organisations in APAC see biometrics for authentication purposes as important or extremely important.

Although APAC is ahead of the curve on biometrics adoption, concerns around security and losses from identity fraud still persist. Major outcry following instances such as the Biostar 2 data breach merely add gasoline to a fire that has been building for years.

The most common misconception is biometrics’ immunity to potential attacks. It is critical to discourage the hyperbole of data breach stories from overshadowing the real cause — storage of biometrics data in a centralized database.

Misconception #1: Biometrics are insecure

On contrary to privacy concerns, biometric authentication is one of the most secure and usable forms of authentication available today. If implemented correctly, biometrics can actually be one of the few technologies with no tradeoff, offering users both convenience and security. 

What is less known, however, is “correct” implementation means keeping our biometric data out of centralized servers and adhering to privacy best practices.

Pilfered passwords – still the most widely used form of authentication today – are responsible for more than 80 percent of hacking related breaches, according to a Verizon Data Breach Investigations Report.

Biometrics can be one of our best options going forward, and may even revive two-factor authentication (2FA) adoption — but we cannot make the same mistake we did with passwords.

Look at the model: Passwords lost their efficacy because the average user has over 90 online accounts and, more often than not, uses the same password across several of them. The fact is, a thicket of passwords ends up as sitting ducks on a server somewhere, stolen and then easily used for password spraying, credential stuffing, and other attacks that let cybercriminals into your accounts. The financial impact of each data breach is staggering, costing USD2.62 million on average in Southeast Asia, according to IBM.

Biometrics are secure, yes. But if we store them on a server, biometrics data will be as easy to steal as passwords – and even worse, considering we cannot change, without going to extreme effort, our fingerprints, or our faces.

So instead of relying on servers, biometric data can and should only be stored locally on the user’s device (e.g., laptop or mobile phone). Tech heavyweights — Microsoft, Apple, and Google — are already taking this approach. Consumers are rightly concerned if their biometric data will be safeguarded, and providers must be transparent about using the right approach to biometric data storage.

Misconception #2: Biometrics are easy to spoof

Very early on, biometric spoofing also raised alarm bells. Online coverage around hackers creating sophisticated fingerprint molds with 3-D printers and successfully getting into a device is even more pervasive. While biometric systems are vulnerable to presentation (or spoof) attacks, in practice they are extremely difficult to implement and — most critically — they are prohibitively difficult to implement at scale.

Vendors are addressing this by coming out with new innovations in both the sensitivity of their sensors as well as adding new liveness detection capabilities, to test for the proper user. JFK airport in New York recently launched a biometric self-boarding system. With a brief glance at a high-precision camera equipped with next-gen liveness detection, passengers are automatically cleared for boarding.

The spoofing threat does not mean we have to abandon biometrics. We just need to be realists about the cyber arms race and also be sure to follow biometric authentication best practices. In addition to only storing biometric data on the device, service providers need to take a second step, which is to leverage available technology that verifies the physical possession of the authorized user’s personal device every time the biometric is presented.

Take these two steps — store biometric data on the user’s device (and never let it leave) and require irrefutable proof of device possession — and the threat of a large-scale breach of biometric data is gone. A criminal would need both your biometric data and device to even attempt an attack. And if we know anything about hackers, it’s that if an attack plan is not large-scale enough, they are not going to bother.

By taking these steps, we can embrace the convenience that biometric authentication offers with no tradeoff — and with no worries about losing the only pieces of ourselves that we have left.

Andrew Shikiar is the executive director and chief marketing officer at FIDO Alliance, a group comprised of 250 of the world’s largest technology and government organizations. Created to solve the world’s password problem, FIDO’s mission is to drive standards that pave the way for protection online that don’t endanger consumers the way passwords do.