Biometric authentication is not solving the password problem
This is a guest post by Mickey Boodaei, CEO of Transmit Security.
In the last few years, we’ve seen biometric authentication implemented across consumer applications and products primarily for convenience. Consumers can now do everything from unlock their phones, pay for a new pair of shoes or access their bank account with just a tap of their finger. With the biometric market anticipated to grow 10.3 percent year-over-year from 2018 to 2023, it’s clear that we’re moving towards a biometric-centric password future.
Biometric authentication has gotten a lot of hype as the solution to passwords, but are we actually more secure or is the convenience provided only making the password problem worse?
Biometrics in the era of user convenience
When banks started rolling out fingerprint authentication for mobile apps the impact was immediate. Millions of users set up fingerprint authentication and started logging in and buying things without using passwords. Now, almost every smartphone (and some computers) on the market contains a biometric authenticator (generally fingerprint or face), firmly settling biometrics into the era of instant gratification and user convenience.
Since biometric data is securely locked on the device the assumption was that this was a more secure method of authentication. But over time, usability issues started to emerge because biometric authentication did not eliminate old passwords, it only created a short-cut to bypass the passwords which still existed. When users switch to a new phone they’re required to re-enter their password during the first login to their banking app. The problem here is that users who became accustomed to logging in using biometrics are less likely to remember their passwords. When forced to enter a password the user may have to go through the “forgot my password” process, severely impacting the user experience.
This problem isn’t limited to new devices. The link between a user’s biometric identifier and a mobile app can break whenever a user adds or removes registered identifiers from their device, resets the device to its factory settings or re-installs an app. As a security measure, the operating system breaks the link and the user is forced to re-enter their password. This is a security function that many applications containing sensitive information, such as banking applications, have implemented.
Biometrics aren’t secure enough
As the industry has come to learn, biometric authentication is hardly the panacea to our security issues. These new authentication methods have turned out to be more of a convenience factor for users to bypass the usual password-entering log-in process, but those passwords still exist beneath the surface and can be accessed to overcome a fingerprint, face scan or any other type of biometric authentication.
Even if we remove traditional passwords from the equation, hackers will still be able to beat biometric authentication. Apple’s TouchID and Samsung’s biometric sensors are routinely hacked time and time again. In just one example, a famous hacker was able to recreate the fingerprint of German Minister of Defense Ursula von der Leyen using high-resolution photos of the politician’s thumb from a press conference and VeriFinger software.
Just this month, a massive security flaw in a biometrics system used by UK banks, police and defense companies exposed the fingerprints of more than one million people as well as unencrypted passwords, facial recognition information and other personal data. The breach poked a big hole in our perception of biometrics as a more secure password option and it also revealed another major problem: you can change your password but not your fingerprint.
Biometrics are part of our passwordless future
Fingerprint authentication is a good first step for avoiding passwords, but it does not eliminate them. Passwords still exist in the background even if they’re not being used to log in to an account. Therefore, they can still be stolen or phished by fraudsters even if the user opts to access apps through fingerprint authentication. To fully eliminate passwords, companies must incorporate alternatives like challenge questions, one-time-passwords, voice biometrics, touch biometrics, and other technologies that need to be constantly orchestrated to create a password-free experience.
The password paradigm is quickly changing and fingerprints will be a part of that future. But given the user and security challenges fingerprint biometrics pose, companies shouldn’t rely on it as a sole security solution. Instead, we should look at fingerprint biometrics as one piece of a robust identity and access management (IAM) platform that allows us to eliminate passwords.
About the author
Mickey Boodaei is CEO of Transmit Security, which helps companies simplify and accelerate identity and risk-related capabilities and policies to their applications. He founded Trusteer and Imperva, both of which were later acquired by IBM.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.