Geoff Anderson, CEO, PixelPin writes for Defence Online and argues that biometric solutions might not represent the future of security after all…
Anyone of a certain age who grew up with an interest in sci-fi will have seen characters open doors and log in to computers with either a press of their fingerprint or a quick scan of their eye like in 2001: A Space Odyssey. It all added a little bit of futuristic glamour to what can be a pretty mundane part of life.
As is often the way real-life technology tends to catch up with our imagination and biometrics are now everywhere: from debit cards that were trialled in the UK earlier this year to the lock screens of our phones, tablets and laptops. As biometrics have filtered into the mainstream – largely driven by our mobile devices – they’ve often been touted as the next step in personal security. Never again will you be stuck at the checkout trying desperately to recall your PIN as the queue behind gets more and more impatient. What’s more unique, personal and memorable than your own face or fingerprint?
The reality, however, is not as good as our imagination. Once the novelty and convenience are taken out of the equation, there are some serious questions around the reliability and security credentials of the biometric solutions out there today.
The fallacy of reliability
The two versions of biometric authentication that have most permeated into daily life are probably fingerprint and facial recognition. For those with the latest smartphones, they have become the de facto means of unlocking our devices. Simple, quick and low-effort.
They are also not quite as secure as people think. For fingerprint scanners, they typically only read a partial fragment of the fingerprint as opposed to every loop, whorl, arch and ridge. As such, there is a much higher chance for inaccurate results. It’s also been shown that an accurate cast of a fingerprint can be made and used successfully with just a high-res photo.
Depending on the type of technology used, facial recognition also has its problems and not just if you have a twin or unknown doppelganger. Some less thorough systems are easily fooled by a picture of the appropriate person being shown rather than being there in person. Meanwhile, problems with many facial recognition systems based on race and gender are well-documented.
The quality of the physical kit is also a significant factor; both technologies are included in a large number of devices of varying price making quality and accuracy highly variable.
An unreliable failover
Even if we disregard concerns around reliability, there is one glaring flaw that will always limit the efficacy of biometrics as a cybersecurity solution: the reliance on passwords.
As anyone who has set up Face ID or fingerprint on their phone knows, you are required to input your PIN or password first. This password always acts as a workaround to access the service you’re looking to use. They say “you’re only as strong as your weakest link” and when it comes to cybersecurity, that weakest link is often the password.
While the technology we use is becoming more sophisticated and more pervasive, security lags behind in many respects. The password is a relic that has existed as long as people have wanted to protect information. While they might be thought as simple, today the password is rarely fit for purpose.
Part of the problem stems from the fact that good passwords are easy to forget; studies show that we remember passwords based on how often we use them. So if you only log in to something once in a while, good luck remembering that password. As a result, people often try to work around this with easy-to-remember bases for their passwords: birthdays, sports teams, pets’ names and the like. The result is that someone with a fairly superficial knowledge of you could quite easily guess your password. Or, worse still, you could be lazy enough to be using one of the most popular passwords out there.
And it gets worse. Despite warnings otherwise, a lot of people use the same passwords across different platforms, devices and services, and rarely change them. It could be that a password you set up for a long-forgotten BigFoot email or Friends Reunited account is the key for a hacker to get into your Amazon or online banking. So, no matter, how unique your fingerprint is, if you don’t back it up with a strong password it’s little more than a convenient gimmick.
Visual PIN = Convenience + Security
Thankfully, there are alternatives to biometrics and the passwords or PINs used to support them. A visual PIN, for example, is a combination of an image and a sequence of points to create a dual-layer password that is highly secure, unique to the user, and easy to remember.
Unlike biometrics, it doesn’t require specialised equipment to be installed, just a screen like that found on almost every smart device. Likewise, it can be used anywhere, on any device – not just the one it has been set up on.
Furthermore, when compared to passwords. The strength lies in the picture superiority effect: we remember images more accurately than words making it far easier to recall an image-based password than a traditional character-based password. As a result, image-based password reset rates are significantly lower than the average for character-based password reset rates (17% vs more than 33% of alpha-numeric passwords forgets). It’s more secure and less susceptible to hacks and guesses.
For now – at least when it comes to security – biometrics should stick to the pages and screens of sci-fi.