Is Biometric Verification Secure?

Waleed C | May 14th 2019

image of a fingerprint scanner on a phone

Phones like the one pictured above now offer you the capability to authenticate with just a fingerprint.

Is biometric verification really secure?

Many smartphones now have biometric verification capabilities. Whether that is a fingerprint scanner, an iris scanner, a retina scanner, facial recognition, or voice recognition, we are increasingly being given the option of a convenient and secure way to gain access into our devices.

The difference between this method of verification and passcodes, patterns, or passwords is that you now verify yourself by who you are rather than what you know.

It is possible for other people to learn your passcodes, patterns or passwords by looking over your shoulder, by learning of reused pin or password, or by guessing. Someone can’t ‘learn’ or ‘guess’ your fingerprint, so biometrics seems like it would be much more secure, after all, using you to verify that it’s you accessing your device sounds like a foolproof idea.

However, biometric verification may not be as secure as you think.

Your fingerprints are everywhere.

You wouldn’t leave your phone’s passcode written down on a piece of paper lying around waiting for someone to steal, would you? Well when you use a fingerprint instead of a passcode, you are essentially doing just that. If your fingerprint is lifted from a surface you have touched (like your phone), it has been demonstrated that it is possible to unlock an iPhone with an image of a lifted fingerprint. There is also the potential of someone using your finger to unlock your phone while you are asleep.

A compromise means no re-use of your biometric data for verification, ever.

When your biometric information exists in a database, it is possible for it to be potentially permanently compromised. If a password you use on only one account is compromised, you can change that password and get rid of it forever. If a database with Iris, Retina, or Fingerprint patterns is stolen, that data is forever compromised because you can’t change them. However, this can be mitigated against if the data stored is encrypted.

Potential for look-alikes.

The chances might be slim on this one, but it is possible for an imposter to authenticate into your device just because they have similar fingerprints, a similar face, or similar patterns in their eyes. Though the false acceptance rates are very low for biometric verification, they are not 0. However, with greater advances in technology, false acceptance rates should decrease even more.

Photographs or videos.

It is possible with a high quality image to authenticate into Iris scanners, facial recognition systems, and even to fool fingerprint scanners. This is another area where less sophisticated or older technology will be more susceptible, and as technologies improve, this risk will hopefully decrease.

No authentication or verification method is 100% secure, and cyber criminals are continuously developing new ways to steal information online. However, the technology of biometric verification is constantly being updated which will hopefully make these systems harder and harder to trick. Unless you are a target for particularly sophisticated attackers, I would still recommend using biometric verification. If you can use it in conjunction with a passcode, that’s even better.

Is it Safe to Use Public WiFi?

image of a person using a phone

A public network is a dangerous place to access something like your bank data -- especially if there is someone who knows what they’re doing on that network.

Is SMS Verification Secure?

image of a two-factor sms code on an iPhone

In today’s world of cyber security threats, multi-factor authentication (MFA) is always a good idea, and is more secure than using just a password. However, not all MFA methods are created equal.