Biometrics or a password?

Tony Anscombe asks, which is more secure, the password or biometrics?

Biometrics or a password?
Biometrics or a password?

When Apple announced that the iPhone would have optional biometric authentication, there were lots of articles about it not being secure. Several years later, there are many devices using biometrics and app developers endorsing it as a simple method to authenticate. Were the critics right?

The last two years have seen major data breaches and identities taken in quantities that we could never have imagined. Even the US Government has fallen victim to losses of data from the Office of Personnel Management (OPM) that included the fingerprints of 14 million people, including former and prospective federal employees who had submitted details for background investigations. The necessity to have a background investigation for this type of employment could imply that you would be exposed to sensitive data as part of your day-to-day duties.

Is my fingerprint secure?

Instinctively, the first response to this would be yes. We have been educated through the media that fingerprints are unique and are a certain method of identifying whether someone was at a location or handled an object. And those among us that have watched futuristic crime programmes on TV will have seen the potential use of fake fingerprints, but it was on TV and probably not possible. Or was it?

In 2014 the chaos computer club replicated the fingerprint of German Defence Minister, Ursula von der Leyen. Through high definition digital photography and specialised software they recreated a digital print that potentially could be used to fool fingerprint-based biometric security systems.

But to create a print useable on a biometric scanner someone has to have access to me, hi-res photographs of my fingers and a digitally stored copy of my prints, and then they also have access to the device secured with biometrics. When using the standard biometric option on an iPhone or Android device the print is only stored on the device itself, meaning there is no large database of fingerprints of iPhone users. 

The example of the San Bernardino terrorist, which made global headlines, is also a good case in point and clarifies some questions. If the terrorist had used biometrics then the FBI would have been able to access the iPhone that they desperately needed to unlock. By securing the phone with a password/PIN the information was taken to the grave and more complex solutions needed to be found to unlock the device. In this case, the use of a password/PIN secured the device better than biometrics.

Biometrics should be seen as part of a layer in the authentication of a person. Combined with the need for a specific device and something the individual would know such as a PIN, then the risk would be minimised, but on its own in a scenario of protecting something valuable, it may not be enough.

We leave our prints everywhere, lift buttons, banisters, books and glasses to name a few. And with everything we touch, we leave an impression of our prints which ultimately could give someone the ability to have the requisite biometric details to replicate a print that could fool a device. But the cost and commitment of doing this to access my phone would be lost when they find no state secrets on the device.

Contributed by Tony Anscombe, senior security evangelist, AVG Technologies