Biometrics are being touted at the “next big thing” in protecting digital information and identities for online transactions. A computer can use any device with the appropriate sensors, whether it’s a microphone to capture voice or a camera to capture face, and this would certainly seem to protect users from criminals seeking to cause trouble.
In fact, Hollywood uses this technology to great effect. From protecting nuclear missiles in James Bond movies to accessing jail cells in Demolition Man, it seems that biometrics have been implanted into our culture as the highest level of security. Short of placing a human security guard at every computer and watching every transaction, biometrics really are the best thing we have to protect ourselves. But, there is always a catch.
Biometrics Aren’t Bulletproof
Like anything else, biometrics improperly deployed are not only unsafe but can actually cause more damage. For example, this article from August 5th, 2015 from ZDNet highlights a method for stealing fingerprints en-masse. It should be noted that at the time this article was written Samsung’s Android phones saved the fingerprint biometric image in an unencrypted form, allowing anyone who knew where it was to simply retrieve the image. This kind of laxity is endemic in the manufacturing process.
Fingerprints have also been shown to be capturable simply by holding your hand in the air and allowing someone to take a picture from a distance. Cameras have gotten that good… particularly smartphone cameras. Does this mean that fingerprints aren’t a reliable biometric medium? Absolutely not. In fact, fingerprints remain the easiest and most used biometric we have.
Consider this: It’s even easier to capture someone else’s face from a distance, yet people still want to use that as a biometric. The key to successful deployments of any biometric are the following:
- Use more than one. Do not rely on just face, voice, or fingerprint.
- Change it up! If you are using fingerprint, enroll many individual fingers from different hands, then use one of those fingers specifically. An attacker might get your index finger but might not have your thumb or pinky. This creates orders of magnitude protection from a very simple change.
- Lastly and most importantly – have a biometric architecture that properly protects biometric vectors.
There are a few different ways to store and protect biometric data. You can keep the encrypted vectors on the user’s personal device, encrypt and send them to a server, or use a distributed data model to encrypt the data using Visual Cryptography, a methodology that encrypts the biometric vector across several, individual files that can be stored in multiple places. Then, only when recombined can the vector be accessed for authentication purposes.
Biometrics are the future…but only if implemented properly, it’s time we used a highly secure system for eliminating the risk of data theft.