Danger: Device Biometrics are NOT Safe!
Biometrics are the unique characteristics of an individual that can be measured and stored in a computer system. These are the traits that make you… YOU. Biometrics have been used to identify humans since the beginning of recorded history. Cavemen drew images of their prints on cave walls to protect them from other cavemen who wanted to steal their hunting grounds.
Today, biometrics are more commonly associated with law enforcement and modern authentication methods, such as fingerprints or facial recognition. For years, IT security experts have recommended biometrics as part of a multifactor authentication (MFA) process for accessing sensitive information on devices and in the Cloud.
However, recent discoveries about how on-device biometric systems work have raised some serious concerns about their safety and efficacy when it comes to device security. In this article we talk about what biometrics are, the difference between on-device and Cloud-based biometrics, why they’re important for device security, and most importantly: why the native Android and iOS biometrics don’t give you the added benefit you’d expect when it comes to securing your data.
What Are Biometrics for Verification?
Traditional authentication involves a username and password, which can be forgotten or stolen. Biometrics are a way of authenticating a person’s identity based on unique physical characteristics, such as their fingerprint. It’s a convenient and reliable way to prove that you’re who you say you are without the burden of remembering complex passwords or passcodes. This is great because we all know that humans are terrible at remembering things.
However, there’s also a terrifying dark side to biometric security: if someone steals your body parts, they can easily use it to gain access to whatever information or device they want — including your bank account!
Biometrics and MFA
MFA allows you to log into a website or app with multiple pieces of information. It’s usually something you know (a password), something you have (your device) and something you are (your face, palm, voice, or fingerprint). This last factor is what makes it more secure than traditional single-factor or two-factor authentication methods like username and password combinations.
For example, if your bank only requires a username and password to log into your account and send money, anyone could steal your identity by guessing or discovering either one of those things—even if they don’t have access to the rest of your personal information, like address or birthday.
Biometric MFA adds another layer of security by requiring both factors for additional protection, plus the addition of your biometrics. In this way, not only do they need your username and password combination but also your physical biometrics in order to access your bank account.
Biometric MFA has been shown — over many years now — to provide a higher level of protection against unwanted third-party access because hackers cannot reproduce these unique traits without permission from the original owner. And even in this rare case, where the owner authorizes a third-party to reproduce their unique traits, there is no guarantee the third-party wouldn’t also share them with others later down the line (which can lead back around to nobody knowing who owns what).
Cloud Biometrics vs. On-Device Biometrics
Cloud-based biometric authentication is safer, more secure, and more convenient than on-device biometrics. On-device biometric authentication is less secure than Cloud-based authentication because it’s based on the assumption that users have physical possession of their devices, which can be stolen or lost at any time (or simply forgotten at home).
In addition to security issues, another limitation of on-device biometrics is that it cannot be used for transactions requiring two-factor verification like banking or retail purchases since they require you to keep your phone close by when you’re making such transactions — which means having access to a fingerprint scanner on your smartphone, tablet, or desktop computer if possible but not always practical (especially if you’re traveling abroad).
Disadvantages of On-Device Biometrics
Biometric authentication is increasingly used to verify the identity of individuals. This technology can be used to replace passwords on smartphones and other devices, as well as fingerprint scanners on mobile phones to unlock them. While this may sound like an improvement over traditional password-based authentication methods, biometrics are not without their own drawbacks:
- Your biometric data is stored on the device itself—which makes it vulnerable to malware that could steal or spy on your identity.
- If you reset your phone or upgrade it for some reason (e.g., upgrading to the latest Galaxy or iPhone), then you’ll have to re-enroll your fingerprints with the new device before it can be used for MFA.
Make Sure Your MFA is Secure!
Biometrics are not only accurate and reliable, but also easy to use. They work by matching a physical trait against the stored image of that trait (your fingerprint, facial features, etc.) in a database. Biometrics can be used as a second factor of authentication in addition to something like your password or PIN code.
You may ask: “How do you know this is safe?” Well, biometric systems have been around for decades and have been used successfully by some of the most secure institutions around, such as banks and government agencies, including the CIA.
We hope this article has provided you with a greater understanding of the serious security flaws that exist with on-device biometrics. Which is why we developed our Cloud-based biometric MFA solution, Imageware Authenticate. It incorporates all the best features of a biometric MFA solution while addressing the security risks. Contact us to see how we can help you get started today.