Originally posted April 24, 2015
A few weeks ago, our weekly Dashlane Tech Check featured a brand-new discovery: “Lip Motion Passwords” could be the future of biometric authentication. Lip Motion Passwords authenticate a person by using the unique motion of their lips as they say a particular word or phrase. Unlike your fingerprint or iris scanners, however, lip motion passwords are changeable–meaning you can record a new lip movement or reset the word or phrase needed to access an account.
Although you won’t see lip motion passwords on your phone or desktop devices anytime soon, it does answer a major issue with biometric authentication technology. Here are 10 reasons why biometric authentication won’t kill off passwords anytime soon:
- You can’t change your biometric password.
- You can change and steal fingerprints.
- Biometrics can’t be share.
- Voice biometrics is also fallible.
- Biometrics don’t preserve your anonymity.
- Your thumbprints are hackable.
- Iris scans can also be hacked.
- Authentication accuracy can be affected by your environment.
- Your body could become a hacker’s next target.
- Multi-factor authentication is your best defense.
You can’t change your biometric password
Biometric authentication can be hacked as with any other form of authentication. But unlike passwords, biometric data that has been stolen cannot be changed: you cannot replace your stolen fingerprints with a new set, nor can you replace a finger you might lose in an accident. Once the hackers have the key, they’re in.
But you can change your fingerprints
In 2009, 27-year-old Chinese national Lin Ring paid doctors almost £10,000 to change her fingerprints so that she could bypass the biometric sensors used in Japan’s airports by immigration authorities. Chinese surgeons swapped the fingerprints from her right and left hands. It worked, and she was successfully admitted. Biometric fraud is alive and well.
You can’t share your biometrics
Biometrics authentication has other major limitations: it cannot be shared and cannot be made anonymous. Sharing login data, or using them anonymously is something more and more internet users do, whether for business or in their personal lives. Only a password management system can securely allow shared access for multiple individuals.
You can lose your voice
Banking is one example of a sector increasingly turning to voice biometrics (also called Interactive Voice Response, or IVR). Customers telephoning the bank either recite a passphrase or enter into a 30-second conversation with the operator which analyses their natural speech pattern and verifies it against a stored file. Barclays reported 95% accuracy. But that’s still a lot of customers relying on passwords or other “traditional” verification methods. And what if you’re under the weather and lose your voice…?
Your anonymity is gone
Passwords preserve anonymity – you’re not identifying who you are, simply authenticating access. When you start to remove this anonymity, it throws up all sorts of privacy issues. Where different passwords are used for authenticating access to different sites, and could, therefore, be anyone accessing the sites, biometrics place a specific individual at the point of access. And once hackers know it’s you, they could start to build a profile of everywhere you go, everything you do and even where all your key information is stored.
Thumbprints aren’t as secure as you might think
Thumbprints aren’t very secure. In Germany, hackers from the Chaos Computer Club lifted the fingerprint of the country’s chief of police and interior minister, Wolfgang Schäuble, from a glass of water he’d left behind after a speech. Successfully copying it, they reproduced it 4,000 times in a plastic mold and then distributed it in their magazine urging readers to impersonate the minister. More recently, the same club hacked prints using high-resolution photography. Other hackers have also successfully hacked fingerprints using nothing more than Play-Doh.
And neither are your irises
Jan Krissler, again from Chaos Computer Club, has used both high-resolution photography and even Google Images to hack iris scanners. “I did tests with different people and can say that an iris image with a diameter down to 75 pixels worked on our tests,” he told Forbes. The printout required a resolution of 1200 dots per inch (dpi), and at least 75 per cent of the iris to be visible. On Google Images, he found suitable images for iris hacking that included Russian president Vladimir Putin, UK Prime Minister David Cameron, US president Barack Obama and 2016 presidential candidate, Hillary Clinton.
The environment can play tricks
Even your own environment can conspire against accurate biometric access. During one test by a manufacturer, a hand geometry system under review at Sandia National Labs in New Mexico in the US showed only a small error rate of 0.2%. When the same tests were run at nearby Kirtland Air Force Base, the error rate sky-rocketed to 20 percent, purely as a result of a different environment and different group of people being tested. You can read more about the research here.
You become the target
Consider PayPal and its headline-grabbing work on a new generation of embeddable, injectable and ingestible devices to replace passwords. This “natural body identification” may mean that hackers no longer have to hack a system; they just need your actual body. “Brute force attacks” could take on a whole new, sinister meaning…
Because multi-factor authentication will always win
All of the above is not to say that biometric authentication cannot be useful. As an additional layer of authentication, biometric authorization can provide another useful layer of security, particularly when using services which are especially sensitive like our bank accounts. However, for the foreseeable future at least, the use of strong passwords should continue to be the main foundation to build up a strong defense against online breaches.