Biometrics: The Worst, Best Authentication Factor

You are unique. The pattern of your iris. The blood vessel pattern in your retina. The swirls of your fingerprint. Your DNA. Your personality, speech patterns, thought processes. But while these things may be unique, the differences between your unique traits and someone else's unique traits may be minuscule. DNA is pretty similar between family members, and is tedious and expensive to examine. Fingerprint false positive and negative rates range from 0.1% to 4.2%, depending on study - that means that somewhere between 1 in 1000 people and 1 in 24 fingerprints look alike enough (or dissimilar enough) to be mistaken by forensic professionals.

OK, so your uniqueness is harder to prove some ways than others. And while biometrics are a part of one of three authentication factors, there are a plethora of good reasons to avoid it where possible at this time.

Demystifying Multi-Factor Authentication

Multi-Factor Authentication is critical for protecting against the weaknesses of passwords. But not all MFA is created the same, and it can be a confusing thing to do well.

Between Two FirewallsBill Bernard

Sensor/Software Quality

What did you pay for your last cell phone? How about your last laptop? Ever bought a stand-alone fingerprint reader? What do you know about the specs on the fingerprint reader, whether it was stand-alone or part of a device? Do you know the false positive rate? How about the false negative rate?

I can tell you from personal experience that every fingerprint reader I've had on a phone has had a serious false negative issue.

Funny but that data isn't usually listed in the device specs is it?

It wasn't that long ago that reliably fooling a "face unlock" feature on a mobile phone required nothing more than a photograph of the authorized user.

This isn't to say that there aren't good sensors and good software for fingerprint and facial identification purposes, but those are generally not being used on consumer level devices.

As with everything in cybersecurity, the quality and cost of the tool needs to be balanced against the risk of unauthorized access, but as a general rule biometric authentication on consumer devices is not a security feature, it is a convenience feature.

Legal Protections

The courts have been split on whether or not you can be compelled to provide a password, PIN, or "combination" to unlock a digital device. Some courts have considered passwords to be "testimony," and therefore the 5th Amendment protects you from having to share it. Other courts have considered passwords to be no more protected than "business documents" under subpoena.

However the courts have been far less privacy focused when it comes to biometric security controls. Those have been compared to having to turn over a "physical key" to a safe or other device, which has long been held as completely allowable with the appropriate subpoena. This isn't to say that some courts have ruled against compelling the unlocking of a phone via biometrics, but there have been fewer of those across the US as compared to preventing the compelling of a password.

Let's also consider the likelihood of a LEO choosing to illegally search your phone. They have a far easier time aiming your phone's camera at your face or running your thumb across a sensor than they do guessing your password. Yes, an illegal search would likely be thrown out in court, if you're willing and able to put in the time and effort with competent legal representation to do so - at which point you're unlikely to be compensated for your time and effort.

All of this assumes, of course, that your devices are well protected and that the data on them is not recoverable without your authentication - if you're not encrypting your data storage, have been tricked/hacked into installing spyware, or have managed to choose a trivial authentication scheme (the last 4 digits of your phone number is not a good PIN for your cell phone) - it won't matter what sort of authentication you've chosen.

In all you have a better chance of not being compelled to provide a password or a PIN than you do a biometric "unlock" activity, but your protections and success will vary by jurisdiction.

Some devices and Operating Systems offer a "duress password" option to delete data from your device while appearing to allow access to it. I am not a lawyer, and I am not about to give you legal advice, but it seems that using a duress password or PIN may run you afoul of laws against the destruction of evidence, so learning when and how to use it is very important if you're considering such a concept.

Biometrics as Digital Information

Here's where biometrics get extra ugly as an authentication option. In our digital world, at some pone every authentication solution becomes an entry in a database, or a file of its own. Such data is subject to theft. We see it all the time. There are websites devoted to helping you identify if your passwords have been compromised in a breach and the odds are that yes, you have had your passwords compromised.

The good news about a stolen or compromised password is that you can change a password. That can't be said for biometrics.

Your thumb-print won't change without some disfiguring event happening to you. Neither will your retinal scan, or your iris, or your DNA. That means that once your device has a digital copy of your fingerprint, etc. that's it. With your fingerprint I suppose you have 9 other fingers to start using, but it seems to get extremely inconvienent to use anything but my thumb or my pointer-finger, so maybe only three? Imagine only having 4 passwords you can use the rest of your life.

The only silver lining for biometric login is that in the vast majority of cases the biometric information seems to be stored locally on the unique endpoint device, meaning that unlike password compromises there is usually not a gigantic central repository at some online service provider to be compromised all at once.

What To Do, What To Do...

As with everything in cybersecurity you need to weigh your security concerns against everything else, but I strongly recommend caution against over-prioritizing the convenience of using a biometric ID solution when compared to the security of such a solution.

For the security minded I would limit my use of biometrics as much as possible, even in a multi-factor situation, where I'd prefer to focus on a combination of something you know and something you have as your two factors for authentication.