In recent years the biometric authentication It has become very popular, especially on mobile devices. In general, companies sell it as an advanced feature that offers improvements in security, however, there are many who question this statement and continue to defend traditional passwords, even despite acknowledging their drawbacks.
Biometric authentication sounds like something cool and modern, to advanced technology that improves security while making life easier, but the reality is that, at least in the consumer sector, it carries enormous inconveniences that in the end leave the user even more exposed than if he used a password.
The main drawback is that the “password” to access is the user himself., be it your iris, your face or your fingerprint. This means that biometric authentication is based on data that is exposed to the public and that, to top it off, cannot be changed unless one goes through a plastic surgery process or is the victim of some misfortune that greatly changes their physiognomy. The only alternative is to wear gloves, a balaclava and sunglasses at all times except when going through the biometric authentication method, which sounds pretty absurd.
The whole issue of the user being their own password gets worse if we take into account the enormous popularity enjoyed by social networks and platforms such as YouTube and Twitch. Currently, tens of millions of people expose parts of their lives on the Internet by showing their faces. If we add to this the improvement in the quality of photographs both on devices and on social media platforms, we have as a result a huge data farm that is surely being exploited by malicious actors.
In short, biometric authentication is far from the panacea it appears to be, so here are two of its drawbacks and two tips to really tighten up online account security.
You leave your password printed on the mobile device
We start with the most obvious, and that is the use of the fingerprint as a means of biometric authentication. This method has been quite popular for years, but its use in terms of security is a very bad idea, so much so that it is on the same level as using ‘12345’ as a password.
Fingerprints are a widely used means of uniquely identifying a person, since, at least initially, only twin brothers should have two identical ones (and possibly not even that if they have lived through very different circumstances). Leaving fingerprints is the easiest thing in the world due to how our body works, so they are present on the mobile device used by the user.
The consequence of using the fingerprint as a means of authentication means that it is only necessary to steal the mobile device to access it, while a traditional password would require the use of at least one brute force tool (try passwords one by one until the correct one is found). ) if the malicious actors are not aware of it.
If leaving the fingerprint printed on the device is not enough, we can add the high quality of the photographs that one finds on the Internet. A photo that exposes palm details could leave the door open for malicious actors to replicate the fingerprint.
As we can see, using the fingerprint as a means of security may sound very modern, but it is a terrible idea that leaves the ground too flat for malicious actors and other organizations dedicated to cyber espionage and cyber surveillance.
Because the fingerprint is a piece of data that is excessively exposed, some companies have opted to use the blood vessels instead of the outside of the hand. This method offers more security by relying on data that, at least initially, is not easily exposed to the billions of cameras and surfaces in the world. However, it is important to note that the use of blood vessels is not perfect, although their impersonation is considerably more difficult.
your face is everywhere
Facial recognition is another biometric authentication method that has become very popular in recent times, but whose use, from certain perspectives, could be even more inadvisable than fingerprints.
We live in an age where the obsession with security has ended up raising issues around anonymity and data collection. Apart from the aforementioned social networks and video platforms, on this front is added the large number of cameras that are placed in shops and many public places with the purpose of easily identifying thieves and other criminals, but in the end they end up being a means of identifying anyone who passes in front of them.
Although companies strive to make it difficult to fool the authentication system, the reality is that it is not impossible to do. On the other hand, if one wants to be really protected from malicious actors, it is sensible to think that they are always two steps ahead, especially seeing that these malicious actors do not have to adopt the profile of the typical bad guy in a Hollywood movie. , but it is probably a company with many means.
Unless you live in a place that is completely removed from cities and towns and never visit them, most likely our face is registered or at least recorded somewhereso if we use it as a means of authentication, it is highly likely that someone else has said “password”.
Better use multi-factor authentication
Apart from the fact that it would be better to avoid the current biometric authentication methods because they rely on public data, one thing that the user should do is to use some method of authentication in several factors.
As we said at the beginning, passwords are not an infallible or particularly secure method, but for many they are more secure than biometric authentication methods. Because perfect security does not exist, the user should stack layers of security and protection. to minimize the chances of a malicious actor or third party getting hold of your credentials and data.
Multi-factor authentication makes it possible to reinforce the security of online accounts, however, it would be important not to support it in SMS and telephone calls, as these are insecure channels. Instead, it is recommended to use an application and/or security keys such as Yubikey.
Use disk or file encryption and have a kill button at hand
Laptops, tablets and mobile phones are devices that have a high probability of ending up lost or stolen. Biometric authentication methods are a temptation to carry out acts of theft and see if, within the same device, there is data that contributes to unlocking it, whether it is looking for fingerprints or photographs to impersonate the face.
In the face of theft it would be advisable employ disk encryption or at least data encryption. On Android, this feature is only fully supported in versions 9 and earlier of the operating system, while 10 and later use file-based encryption, which allows different files to be encrypted with different keys that can be unlocked independently.
For its part, iOS uses a file encryption methodology called Data Protection, while Mac computers with Intel can be protected with a volume encryption technology called FileVault and those equipped with Apple Silicon use a hybrid model .
Windows users have BitLocker as their data encryption technology, while Linux users often rely on LUKS, which requires a password at system startup to access encrypted partitions.
Apart from employing disk encryption, it would be convenient enable, if the system supports it, a kill button that allows to “destroy” the device and at least neutralize the data in case the device is stolen or ends up lost.
As we can see, it is important to proceed with great caution when using biometric authentication methods, it might even be more advisable to avoid their use by looking at the data on which it is based and how easy it is to obtain it.
Of course, the fact that biometric authentication methods are not trusted does not make passwords a panacea against the security and privacy problems that the user faces when protecting their credentials, so the best, or Rather, the least bad thing is to rely on a multi-factor authentication mechanism.