The Hidden Risks Of Biometric Security

Even before the Equifax breach, we knew “password123” wasn’t enough to protect our online data. We’ve been told that constantly by websites requiring us to create a password. “This is weak,” they say. “This password can be easily guessed. Try again.”

So we try again, and come up with a complex password comprising letters, characters, and numbers that a hacker could never guess. Problem is, neither can we the next time we try to access the site. And as we acquire more electronic gadgets that are password-protected, we wish more than anything that someone would devise a simpler method.

Well someone has: biometric authentication. Some of these techniques have been around for years. Fingerprint and facial or iris recognition softwares are almost old hat by now. Newer advances use other types of human characteristics to identify a person. Primarily funded by the Defense Advanced Research Projects Agency (DARPA), researchers are working on ways to use various unique signatures of our bodies to access our devices, doing away with passwords entirely. Such identifiers as the way you walk, the way you type or click, your heartbeat, even the way you scroll down a screen are said to be unique to you, and thus a secure way to provide so-called “active authentication.”

And as reported in Britain’s The Telegraph, the Biometric Research Group says that 650 million people were already using biometrics to operate their mobile phones at the end of 2015. That number is expected to grow to two billion or more by 2020.

Hooray! Never another password to invent and try to remember. But, is there a downside?

The information obtained from your body is—like everything else in the cyber world—converted to digital data which is then stored. If it remains on your device, that’s probably not a problem. But some devices may transmit and store the data in a remote server, using complex algorithms to verify your identity.

As a Scientific American article on the subject put it, “once your face, iris, or DNA profile becomes a digital file, that file will be difficult to protect. As the recent [data sweeps by the National Security Agency] revelations have made clear, the boundary between commercial and government data is porous at best. Biometric identifiers could also be stolen. It’s easy to replace a swiped credit card, but good luck changing the patterns on your iris.”

“A central repository of biometric data would be a gold mine for hackers,” Salis Prabhakar, CEO of mobile security company Delta ID, told cybersecurity news site The Parallax. The site noted, “someone who has access to your raw biometric data could use it to access your accounts, steal your identity, or even implicate you in a crime.”

And as Tim Edgar, a professor in Brown University’s Executive Master in Cybersecurity program told The Parallax, no biometric measure is 100% accurate, even under ideal conditions. Inaccuracy in this area could result in someone being falsely identified—and treated—as a known felon or a suspected terrorist.

Then there’s the potential commercial value of biometric identification. Joseph Atick, who helped invent facial recognition technology 25 years ago, recently told CBS News that tracking users is so valuable to marketers that tech companies can’t be trusted to self-regulate their use of biometrics.

“You broke my password, I’m going to change it,” he said. “I can’t change my face, I can’t change my fingerprints. I need some mechanism to protect me.” That mechanism, he said, would be a guarantee that all biometric information remains on the device.

So until we have better laws in place to protect our biometric data, Billshark recommends the following tips to creating better, easier-to-recall passwords.

1. Using a ridiculous “passphrase” is better than a single word, even with some letters of that word replaced by characters, because they are almost impossible to guess. Rubberwinewrinkles, for example, is not only difficult to say, but impossible to guess, even with a sophisticated computer algorithm.
2. For sites that require upper- and lower-case letters and characters, you could capitalize just a single recurring letter (rubberwInewrInkles) and add an unusual character at the beginning or end ($rubberwInewrInkles).
3. Because it’s crucial to have a different password for each site you use, you could add an identifier for each site to your now all-purpose passphrase. For Facebook, you could use: $rubberwInewrInklesFB, F$rubberwInewrInklesB, $rubberwInewrInklesfb ... whatever helps you remember most easily.
4. Alternatively, you could use a password manager program or a web storage service, which can generate secure passwords and store them online.
5. Or you could employ two-factor authentication (known as “2FA”), which, in addition to the password, uses a follow-up text with a code or an app which can verify your identity.

Whichever way you choose to go, investigate and evaluate the best method for you. Just don’t depend on “password123.”