If you use your TouchID or FaceID to access your smartphone or device, you might think that this is an effective way of ensuring that it is only accessible to you. But are biometrics really secure, or are they just as easy to hack as your passcode?
What are biometrics?
Biometrics are a way of measuring your biological features, often to provide or restrict access to physical or digital environments, or in law enforcement, to keep track of individuals under surveillance. For most people, the way that they have been introduced to biometrics and biometric data is through facial recognition, and touch identification on their smartphones.
Although the technology had been available on mobile phones previously, fingerprint scanners became synonymous with modern day security after the launch of the iPhone 5s in 2013. Apple named it TouchID, and it was a major selling point for their device.
Biometrics for smartphones progressed quickly from there, with other companies following suit. Although facial recognition had existed on phones previously, Apple managed to create a refined version which they included on their iPhone X in 2017. Since then Apple has discontinued TouchID on its newer models, but has stuck to facial recognition. However, Samsung and Google continue to include fingerprint scanners on their devices.
Biometrics: the successor to passwords and passcodes
One of the reasons that biometrics were considered more secure than passwords and passcodes is that our fingerprints and face are always with us. With biometrics, we don’t need to remember a unique password every time we want to log in to an account, or create something with numbers, letters, and special characters to keep something secure.
Because remembering a unique series of letters, numbers and symbols to every single account that you have is almost impossible, we often end up choosing one password and repeating it for every account that we have (check out our article here to find out why that is a terrible idea, and how to use a password manager instead).
With biometrics, a lot of users are able to access their device, sign in to their accounts, and even pay for things using nothing other than their face or their fingerprint. This effectively cuts out the possibility of a password being guessed or stolen, and stops people using the same password for everything.
If it's better than a password, that means it's secure, right?
To answer this question, we need to understand how biometrics work. When you scan your fingerprint, or use facial recognition, the data is captured and compared to the data that is stored on the device itself. This is one of the reasons that biometrics are considered more secure; with passwords and passcodes, the data is stored in the cloud and can be accessed by servers and applications. With biometrics, the data never leaves your device.
This might prevent biometrics being stolen in the same way that passwords can be, but it doesn’t mean that they’re secure. In fact, security researchers have demonstrated that both the facial recognition software and the touch recognition software can be hacked fairly quickly and easily with the correct resources. And once that data has been stolen, you can’t just change your fingerprint the way you’d change an insecure password; the biometric will be permanently insecure.
However, it should be noted that these kinds of hacks are not typical of the ones that average smartphone users are most vulnerable to. Although the articles demonstrate that it is possible to exploit this technology, these techniques require a lot of time and dedication. Typically, the average hacker is likely to have more success in other ways.
So what’s the best way of securing my accounts and devices?
Ultimately, biometrics are not impervious to hacking, just as passwords and passcodes are not. As biometric technology becomes more and more common, it’s likely that we’ll see a rise in effective hacking techniques that can be executed easily, but your typical hacker isn’t quite there yet.
The most effective way of securing your device is by securing it twice. Two-factor, or multi-factor authentication, means that every time you sign into an account, you’re required to provide two pieces of information; usually a password, and a biometric. Remember, the aim isn’t to find a solution that is 100% secure, because that just isn’t possible. Instead, just make your logins too secure for hackers to bother.
Tweet us @TranscenditUK