Biometrics are key to a passwordless future. They also pose vexing cyber risks

Illustration: Si Weon Kim

Verifying users based on their fingerprints, irises or some other biological measurement could backfire for Big Tech if companies fail to heed cybersecurity threats.

Passwords are passé; biometrics are in. Or they will be, if the likes of Apple, Google and Microsoft have their way. In May, the tech giants pledged support for a biometrics-based authentication system based on FIDO standards, allowing users to sign in to their devices and accounts without a password.

But regardless of how carefully these companies build and roll out biometric authentication, “crime will happen,” said Srikanth L., who works with Cashless Consumer, a consumer awareness initiative around fintech in India. While the obvious technology designs that are now known to be faulty can be prevented, that does not guarantee a crime-free internet just because easily hacked passwords become a thing of the past, he added.

Biometrics-based verification has been around for years — to unlock devices, manage travelers at airports, facilitate payments, or even access government services. But it is set to go mainstream, bringing with it a new array of cyberthreats. The global market for biometrics systems is expected to touch $83 billion in the next five years, with a concomitant surge in the emerging field of behavioral biometrics as well. Experts say a rise in biometrics-based crime won’t be far behind.

Such a cybercrime wave could have far-reaching consequences: Unlike traditional passwords, biometrics, once compromised, cannot be changed. “Once it’s lost, it’s lost,” Srikanth told README. Having worked extensively on payment technologies and fraud, including with India’s digital ID initiative Aadhaar, he has seen various breaches, including replay attacks and documentation fraud using gummy fingers. The latter comprises impressing fingerprint data on a gel: “You could [then] wear that gel like a glove and [it] basically now becomes your fingerprint,” as Srikanth put it.

Biometric data presents a new threat landscape in cybersecurity, as researchers with cybersecurity firm Intel 471 noted in a blog post earlier this year. “If attackers can obtain biometric data and subsequent access to the information it protects, they could leverage the access and data in an extortion attempt and/or sell the data on underground forums or shops in the form of stolen identities,” they wrote.

Threat actors, Intel 471 researchers added, are becoming increasingly knowledgeable about the value of access to biometric data.

Still better than passwords?

Passwords are inherently flawed, given how difficult they are to remember and how easy they can be for cybercriminals to guess or crack. For years now, security experts have been predicting their demise. “Despite industry-wide efforts to reinforce this method of authentication…the fact that remains is that creating good passwords — and safeguarding them — is as difficult as rocket science,” a representative of the energy firm ConocoPhillips told CSO Online in 2016.

Biometrics are not the only basis for passwordless systems. Other technologies — such as one-time codes, cryptographic keys, and hardware keys — also exist. But in a human context, using biometric data for verification makes sense: Biometric identifiers are unique and unchangeable characteristics, and are always “available” on the user.

The immutable nature of biometrics does carry downsides. A recent TikTok trend saw over 700,000 users sharing close-ups of their eyes, potentially compromising their biometric identifiers. Other fads, like a viral Facebook challenge to post selfies taken ten years apart, puts facial identifiers at risk, apart from possibly being stealthy data-mining operations.

Tech industry leaders, however, see the use of biometric data as an essential component of a layered approach to authentication and fraud prevention. In a blog post, Simon Marchand, chief fraud prevention officer at the technology company, Nuance, wrote, “By authenticating people based on who they are, rather than what they know or something they have, organizations can protect against fraud in any channel, regardless of new tactics fraudsters might use.”

As the use of biometric authentication expands, there is also increasing academic and industry interest around the concept of cancelable biometrics. “[This] essentially uses a portion of your biometrics plus some other salt, to ensure that the authenticating factor is not solely the biometrics, but [also] certain other encryption,” said Srikanth. In case of a breach, one could cancel the compromised biometric data and register anew with new encryption.

Despite the promise of a passwordless future being more secure and intuitive than other alternatives, experts still call for caution, especially in the absence of strong legislation about the collection, usage and storage of biometric data. “You need to have liability provisioning put in place that will drive investment in security,” said Srikanth.

In 2020, Gartner forecast that 65% of the world’s population will have their personal data covered under modern privacy regulations by 2023. As that date inches closer, there is precious little legal provisioning exclusively for biometric data around the world. In the U.S., while 20 states have safeguards on collection and selling of biometric data without consent, there is no federal law yet. There are signs of progress on federal data privacy and cybersecurity legislation as Congress debates the American Data Privacy and Protection Act, which cropped up in June and is winning early bipartisan support. In the EU and U.K., the GDPR/UK GDPR safeguards only protect the identity of the individual.

Things could change, however, depending on the outcome of ongoing lawsuits in the U.S. against Amazon for allegedly mishandling users’ biometric data. If Amazon is held liable, it might spur privacy-oriented lawmakers to follow up with legislation on collecting, using and storing sensitive information, including biometrics.