What are the risks of biometric identification?

Everyone knows passwords suck. They’re either too easy to guess or too hard to remember, and password leaks can cause all kinds of pain.

That’s why more and more companies are turning to biometrics—the unique characteristics of your body—to replace passwords. You may already use your finger to unlock your iPhone or your face to log in to your Windows 10 laptop. And before the Galaxy Note’s recall, you might have even accessed Samsung Pay by scanning your iris.

Biometric identification is spreading just as rapidly in the physical world. Casinos employ facial recognition to spot known card counters, while banks use voice recognition to verify customers over the phone. The Nymi wristband uses employees’ heartbeats to authenticate them to a corporate network. And hospitals around the country use Imprivata’s PatientSecure, which identifies patients via the unique vein patterns in the palms of their hands.



READ MORE: The scary side of facial recognition


Although biometric identification may be less prone to theft and spoofing than passwords, it’s still vulnerable to hacking. Some facial and iris recognition devices have been fooled by photographs. And last year, researchers at mobile-security firm Vkansee used Play-Doh to collect fingerprints and unlock an iPhone.

While the technology is constantly improving—fingerprint scanners can now detect a pulse, and facial-recognition software can measure depth of field—staying ahead of hackers is “a real game of cat and mouse,” says Adam Powers, technical director of the Fast Identity Online (FIDO) Alliance, which certifies devices that meet its guidelines for the secure storage of biometric data.

“Even if you look for 3D depth or a pulse, people will figure out ways of spoofing that,” Powers says. “But today billions of people still live in the old world of phishing attacks and data breaches. Right now, our biggest problem is how to get rid of passwords.”

Precisely because biometrics are harder to steal and spoof than passwords, they have the capacity, for better or worse, to be used in more powerful ways. The key risk factors, as several experts we spoke with indicate, are how biometrics are collected, stored, and ultimately used.

How they’re collected and stored

When an iPhone scans your fingerprint, it stores the data as a mathematical snapshot (or template) in a secure segment of its memory. When you scan your finger again, it compares the two templates, and unlocks when they match.

“A central repository of biometric data would be a gold mine for hackers.” — Salis Prabhakar, CEO, Delta ID

As long as that data is kept securely on the device, it can’t be used to re-create your fingerprint and spoof your identity, says Powers of the FIDO Alliance, whose members include major banks, identity management firms, and tech giants such as Google and Samsung.

Other devices might cross-check biometric templates against information stored on a remote server to verify your identity. As long as that data is stored in a secure template or in an encrypted format, it can’t easily be deciphered and re-created, says Rob Douglas, chairman and CEO of BioConnect, creator of an identity management platform built on biometrics.

“It’s rare to find an instance outside of the federal government where raw data is stored,” Douglas says, “and in that situation, its primary purpose is for criminal detection.”

Federal agencies, of course, have long collected biometric data for the purposes of background checks. And instead of storing templates, they may store the actual fingerprint images. When the U.S. Office of Personnel Management was hacked in June 2015, the raw fingerprint scans of 5.6 million current or former government employees were stolen.

“A central repository of biometric data would be a gold mine for hackers,” says Salis Prabhakar, CEO of mobile security company Delta ID. “They will go after it.”

Someone who has access to your raw biometric data could use it to access your accounts, steal your identity, or even implicate you in a crime.

“If we move into a society where we’re required to use biometrics to identify ourselves, and that information is compromised, anyone can impersonate us,” says Jennifer Lynch, senior staff attorney for the Electronic Frontier Foundation. “Biometrics are not like a Social Security or credit card number. You can’t change your fingerprints.”

How they’re used

Potentially bigger issues, the EFF says, could stem from using biometric technology such as facial recognition to track people without their knowledge, or to drive criminal investigations or prosecutions.

Only three states—Connecticut, Illinois, and Texas—have instituted laws protecting the privacy of individuals’ biometrics. In December, a tanning salon in Illinois was successfully sued under the state’s Biometric Information Privacy Act for collecting customers’ fingerprints without their written consent. Google, Facebook, Shutterfly, and Snap are also being sued in Illinois for creating “faceprints” to identify people without their permission.

At the federal level, the FBI has been trying to get its database of more than 100 million fingerprints and 45 million facial images exempted from the Privacy Act of 1974, which requires federal agencies to reveal information they collect on American citizens. In November, the Electronic Privacy Information Center sued the agency over its plan to share this data with the Department of Defense.

No biometric measure is 100 percent accurate, even under ideal conditions, says Tim Edgar, a professor in Brown University’s Executive Master in Cybersecurity program. A lapse in accuracy could result in someone being falsely identified—and treated—as a known felon or suspected terrorist.

“It’s one thing to take a picture of a person facing the camera in good lighting, and another to compare it to one taken via a surveillance camera in real-world conditions,” Edgar says. “Or to capture 10 fingerprints in a controlled way, and compare them to one partial fingerprint. The consequences of a false positive can be pretty severe, especially if the agency doesn’t understand the limits of biometric technology.”