Just last month, news broke that biometric data for more than a million people was exposed from a platform called Biostar 2, a tool to control access to buildings and secure areas. This wasn’t the first time a biometric database had been compromised. Remember the OPM breach? Over 20 million people who went through U.S. government background checks sure do — as do the Chinese hackers who now hold that data. How about India’s national identity database, Aadhaar? The media coverage poured in, with naysayers warning us to be terrified of biometric authentication. “After all,” they said, “you can change your password but you can’t change your fingerprint.”
This recent Biostar news merely added gasoline to a fire that has been building for years. Last month, a Wall Street Journal feature claimed, “biometrics have their own problems that might be worse than passwords.” Stories like this miss one crucial point, though, and it’s critical to set the record straight. The breaches here aren’t a biometrics problem, they’re a centralized biometrics problem. Specifically, the problems arise when biometrics data is stored in a centralized database.
Biometrics are inherently secure
There’s a give and take in today’s networked economy between privacy and convenience. Want more convenience, be prepared to give up more of your personal data. But in the case of biometric authentication, it’s not just data, it’s our physical attributes at stake. Does the convenience of biometric authentication necessitate us ceding control of what may be one of the only things left that we can still claim as uniquely “us?”
No, surprisingly, biometric authentication is one of the most secure and usable forms of authentication available today. If implemented correctly, biometrics can actually be one of the few technologies with no tradeoff, providing us with both convenience and security. And “correct” implementation means keeping our biometric data out of centralized servers and adhering to privacy best practices.
It’s true that you can’t change your fingerprint, but passwords alone — still the most widely used form of authentication — are the absolute worst form of authentication available and the source for the vast majority of our data breaches. Biometrics can be one of our best options going forward and may even revive the stagnation of two-factor authentication adoption – but we can’t make the same mistake we did with passwords.
Look at the model: Passwords have lost their efficacy because the average consumer has over 90 accounts and, more often than not, uses the same password across more than one of them. They sit on a server somewhere, vulnerable to compromise, after which they are then easily used for password spraying, credential stuffing, and other attacks that let criminals into your accounts (and are costing billions of dollars per year in fraud).
Biometrics are secure, yes. But store them on a server and we’re back to where we started, but even worse because of that whole “can’t change your fingerprint” fact.
Instead of relying on servers, biometric data can and should only be stored locally on the user’s device. A lot of providers are already taking this approach – including the aforementioned platforms from Microsoft, Apple, and Google. Providers should be transparent about their approach to biometric data storage when it’s being used for authentication and not hide it in a TOS somewhere.
Biometrics can beat spoofing
Aside from the biometric storage issue, biometric spoofing has also raised alarm bells. We’ve all seen the coverage around hackers creating sophisticated fingerprint molds with 3-D printers and successfully getting into a device. While it’s true that biometric modalities are vulnerable to presentation (or spoof) attacks, in practice they are.extremely difficult to implement and — most critically — they are prohibitively difficult to implement at scale.
Vendors are addressing this by coming out with new innovations in both the sensitivity of their sensors as well as adding new liveness detection capabilities. This involves having the user blink when using a face recognition system or having the fingerprint sensor read below the skin for characteristics that cannot be spoofed by a fake fingerprint, for a few examples.
The spoofing threat doesn’t mean we have to abandon biometrics, just that we need to be realists about the arms race being driven by hackers, and also to be sure to establish and follow biometric authentication best practices. In addition to only storing biometric data on the device, service providers need to take a second step, which is to leverage available technology that verifies the physical possession of the authorized user’s personal device every time the biometric is presented.
Take these two steps – store biometric data on the user’s device (and never let it leave) and require incontrovertible proof of device possession – and the threat of a large-scale breach of biometric data is gone. A criminal would need your biometric and your device to even attempt an attack. And if we know anything about hackers, we know that if it doesn’t scale, they aren’t going to bother.
By taking these steps we can embrace the convenience that biometric authentication offers with no tradeoff – and with no worries about losing the only pieces of ourselves that we have left.
Andrew Shikiar is executive director of FIDO Alliance.