Are Biometrics Really Safer Than Conventional Passwords?
Biometrics – the method of identifying an individual by their unique physical or behavioral characteristics – is being hotly debated as the more effective means of security next to the conventional password. So which is the better, safer option?
Traditional, preset passwords are notoriously problematic for the obvious reasons; they’re tough to remember, and easily hacked. Websites and companies urge users to regularly change their passwords, and many these days even require elaborate combinations of numbers, capital letters, and odd characters. Users tend to get fed up with this, and most prefer to just default to using the same one over and over again. Many even resort to using the same passwords as millions of others; “123456” and “password” were reported by companies to be among the most popular choices used. These are likely the first to get hacked; but even the more unique and difficult passwords eventually get figured out by determined hackers with good algorithms. Because many people use the same password for almost every application, the person hacking into your email account likely also now has access to your online banking account, your job database, and other highly sensitive applications.
Biometrics seeks to conquer this with identifiers impossible to guess or replicate – fingerprints, selfies, voice recognition and iris scanning are among the most popular options for accomplishing this. Governmental organizations like the FBI and CIA have been scanning irises for years, and it has now made its way into more commercial uses. Banking and credit card companies have begun experimenting with fingerprint, voice and facial recognition for customers to use instead of passwords. Smartphones are already capable of scanning irises, and some will start to employ behavioral (typing pattern) recognition programs for access to their apps.
Fingerprint recognition exploded onto the iPhone scene, and by the end of 2015 it was reported that 650 million people used this biometric to access their smartphones. Some people speculate that this is a ploy for law enforcement agencies to be able to gain access to the fingerprints of everyone – criminals and non-criminals alike. But most users prefer this option to the conventional password; if someone steals a phone in this day and age, they have likely made off with most of your identity as well. With biometrics in place, this worry is greatly alleviated.
But what if biometrics aren’t as secure as they’re made out to be? While it is difficult to fake the identity of a fingerprint or iris, it isn’t impossible to replicate it with technology (as can be seen by the many successful Apple Touch ID hacks performed since 2014). In 2014, he 7-year old son of a computer security and cryptology professor managed to hack into his father’s iphone, proving that it is not a difficult obstacle to overcome by any means.
Along with biometrics not being hack-proof, there are added layers of insecurity to be had. If your identity is stolen using your biology, you may never be able to reclaim it. Additionally, if biometrics databases can be hacked into, then identities can be traded by criminals as easily as baseball cards. Biometrics are a much more powerful tool to use than manual passwords; the fingerprint hack of the federal government’s Human Resources Department in 2015 resulted in the fingerprints of about 5.6 million people being stolen, and deep levels of security were breached in the massive attack.
This leaves many questions about how worthwhile it is to go from conventional passwords to biometrics for security. Conventional passwords, while problematic, can be changed and are anonymous. Biometrics cannot be changed and are full identifiers of their users. Passwords can easily be guessed and duplicated; biometrics are not as easy to guess.
Perhaps the best option is to use both passwords and biometrics in combination. Biometrics, while using our biology, still rely upon technology; technology can always be hacked. While passwords can be guessed, they can also be changed. For now, using the two in conjunction seems like the most reliable way to ensure security in an age where our identities are increasingly insecure.
