The use of fingerprint scanners and facial recognition in consumer electronics is increasing at a rapid rate, and holds the promise of easy identity verification for device access and digital payments.
However, one senior cybersecurity researcher warns that relying solely on such technologies is fraught with danger.
Nick FitzGerald, a senior research fellow at cybersecurity company ESET, said that despite the convenience that biometrics can provide, there are a number of dangers to the technology.
“The concern is a lot of the talk I see about adopting biometrics instead of passwords for online banking or for purchases, for example is at best simplistic because passwords for all their faults still have one very useful feature: If you know that someone’s account has been compromised, you can easily cancel their password, whereas if the only way your system works is with an image of the user’s face or a scan of their finger, it’s much more difficult to ‘cancel’ those forms of identification, because the users are stuck with them,” FitzGerald told IoT Hub.
“If you have a system that only used fingerprints, for example, you’re only limited to the number of fingers a user has to reset access, and if it’s facial recognition, you may find yourself in a situation where you can’t reset the user’s credentials at all.”
Biometric security still useful in certain scenarios
FitzGerald was quick to point out that such a complication is unique to user-owned devices, and is not necessarily the case in other use cases for biometric security.
“In immigration and passport control at an airport, for example, where the devices are owned and run by the immigration authority through some contractor hired by the government, the ability to perpetrate fraud by compromising the device has a much higher level of complexity,” he explained.
“Also, the people who are presenting themselves to the devices are under observation by other people, namely immigration officers, the police and other parties.
“Therefore, the ability for the people using those identifications to identify and ‘authenticate’ themselves are much different, and orders of magnitude more difficult to fake.”
FitzGerald said that the problem for vendors or banks that rely on the biometric security measures provided on user devices is that there is a question of trust as to whether the hardware and software that claim to verify a user’s identity is truly reflective of what is occurring in the real world.
“At the moment, the answer to whether or not that verification can occur is no, and since the onset of online banking, that issue has essentially been ignored, or has been assumed as a smaller risk, therefore leading to a smaller cost or loss when compared to the added convenience that these technologies provide,” he added.
“These problems don’t go away just because you change the way you identify your customers. If you relied on facial recognition software on your device, for example, a sufficiently clever adversary could reverse engineer the application such that to outward appearances the transaction is valid, but the bad guys end up with the money.”
Does the fault lie with the device manufacturers?
Device manufacturers have for a number of years used biometric security as a selling point for their devices, but FitzGerald doesn’t necessarily place the blame solely with them for consumers’ increasing reliance on the technology.
“Up until the rise of online banking, there really wasn’t that much that people did online that was worth very much money, and that incentivised the bad guys to circumvent what was going on,” he explained.
“But as more of what we do has moved to online activities, and the real-world value of what we do has been encapsulated in desktop, to laptop and now to handheld device, that has really just been a shift in usage patterns.
“I don’t see device manufacturers as being any more culpable than they were in the beginning.”
Raising awareness among consumers
FitzGerald said that the best way to ensure digital security is not to rely on one particular technology or another, but for consumers to be more aware of the trust they place in their personal devices and to understand the security risks that they pose.
“The solution to the ‘can we trust the device’ problem is to have a device that you can trust and that means you either don’t use those types of portable devices at all, or you’re very careful in the way you use them,” he said.
“For example, I do my online banking on my personal devices because I’m confident that I can keep them secure, and I won’t use devices that I’m not personally responsible for maintaining, because I can’t trust them.
“Unfortunately, most people aren’t capable of maintaining that level of security or aren’t interested in doing so.”