Is Biometrics Really Better?

As organizations look to navigate out of password hell and ratchet up security, there’s a growing focus on biometrics. To be sure, enormous advances are taking place in the field.

We’re seeing fingerprint technology, such as Apple’s touch ID, embedded in smartphones, and voice recognition systems used by companies like Charles Schwab & Co. to authenticate customers over the phone. We’re even seeing facial recognition being used by financial services provider USAA to log in users.

In addition, Bank of America recently announced that it will use Apple ID to authenticate customers at ATMs. This would eliminate the need to enter a PIN and eliminate the risk of someone stealing it by shoulder surfing or aiming a video recorder. Wells Fargo and Chase are reportedly looking into biometric authentication as well.

Meanwhile, Google is taking direct aim at passwords with its Project Abacus, which is currently being tested by banks. It relies on behavioral biometrics to analyze how a person types and moves, and how he or she speaks. It then examines signals from the sensors in a smartphone in order to generate a “trust score” that determines whether a password is required to authenticate a person.

While all of this represents a step forward, the technology also ratchets up risks. Consider this: If your password is stolen, you simply generate a new one. If your company identification badge goes MIA, you obtain a replacement. Sure, it’s a hassle—and a security risk—but it’s at least doable.

But what happens when the digital code—essentially the raw biometric data that represents a fingerprint, iris scan, voice print or facial geometry—is hacked and stolen from a database or elsewhere? As Alvaro Hoyos, chief information security officer at security firm OneLogin, observes, a person can’t change his or her fingerprint or facial geometry.

The upshot? It’s critical to take precautions and enable strong protections. Among other things, an organization must encrypt all data, including data in transit; store the data on dedicated servers; and use Active Directory or LDAP to boost protection. The server should also have physical protections in place.

In addition, it’s critical to vet both systems and vendors thoroughly. Unfortunately, biometrics technology isn’t 100 percent dependable. Security researchers have exposed flaws that allow someone to use a photograph or recording to break into a system.

According to Biometrics Research Group, 650 million people were using biometrics on mobile devices by the end of 2015. And adoption is growing at an annual rate above 20 percent.

For now, according to Hoyos and other experts, it’s best to approach biometrics with caution—and build in strong protections from the digital data bits up.