Privacy is a big concern when it comes to biometrics. And it should be, just as it should be with anything involving personal information and the internet. However, because biometrics uses records of an individual, people get even more nervous about it. A look at the facts shows these concerns are overblown.
One of the fears is that biometrics involves using things — fingerprints, your face, your voice – that are irreplaceable if they get hacked. Also, because these things are all exposed through every day use they are easier to steal than a password which is “inherently private.”
This may be because, spy movies and TV shows like CSI and NCIS, make it look easy it is to get a fingerprint from someone: Find a glass they’ve used, blow on some graphite powder, apply Scotch tape, and voila! That fingerprint-protected computer/phone/vault is now open to you.
First, most of the measurements needed to spoof a biometric system aren’t that easy to get.
Fingerprints, for example. There’s a reason it’s crime scene techs and not ordinary cops collecting them: It takes training. Also, people smudge things just by using them, so even a trained pro may only find partial prints. Sure, you may be able to match partials to an existing fingerprint record, but putting them together to make a whole one? Not easy, even for the professionals.
Once you have the print then you have to put it on something finger-like to spoof the scanner. It’s true 3D printing is making this easier but they can’t make something that’s 98.6 degrees warm and/or has the pulse of blood running through it. Those are just two of the ways biometric systems are checking for the “liveness” of the item being scanned.
There are similar counter-measures for voice prints, facial recognition, and iris scans. No doubt bad guys will eventually figure out ways around them but security is an arms race. More counter-measures are already being developed.
In short, all of this takes a lot of work. Passwords, on the other hand, can be cracked with enough time and computing power. Furthermore, that’s something that can be automated. To the best of anyone’s knowledge there’s no equivalent for biometrics. Hacking them has to be done one at a time.
Then there’s the issue of what happens if one of your biometrics is hacked. It’s true that if your fingerprint gets stolen you only have nine more to replace it. If a password is stolen it’s easy to generate a new one. But the thing is, that ignores why you are using these. You are using them to protect information – account numbers, social security ID, bank and credit information, intellectual property. What you want to do is make it as difficult as possible to get to that. Biometrics do that.
Also, Just because a thing is possible doesn’t mean it’s likely. Password-protected data is a target-rich environment for hackers. They can go after a lot of them all at once. Mass attacks like that are the cause of an enormous number of data breaches. Biometrics almost requires individual targeting to succeed. That means the attackers have to know in advance you have something worth the effort it will take to get it.
With biometrics you are protected by the uniqueness of the information used to lock it up, the difficulty to get it and the even greater difficulty to use it if someone does get it. Added to that is the fact that you have to be chosen as a target. Biometrics is a powerful solution to mass-produced hacking.