Biometric security – nowhere near as secure as you might think, better than a bad password, but at least you can fix a bad password, fixing your fingerprint or face is a far more expensive process that will only help if your face has already been compromised. Biometric security on your phone or laptop is really only a measure of convenience, and a dangerous one at that.
A photograph that is high enough resolution can be used to replicate your fingerprint, enabling access to your device in as little as 30 minutes. This has been done with high resolution photos taken of the German Defence Minister during a press conference in 2014. Her fingerprint was replicated using some software and a standard printer, with the ink giving just enough texture to replicate the fingerprint (Digitial Trends 2014). On top of the threat of photos with your hands in them, you leave you fingerprints everywhere, and you can’t change them; all it takes is a moment with that glass or door handle you just used to get a sample. Why would you trust them to secure your personal information?
Often easier to break, many devices only require a photo of the user to pass the scan (Security Today 2019). Other times, with a little more effort, a mannequin to stick the photo onto, and the phone held at the right angle, facial biometric security is still thwarted. Relatives can often unlock each other’s phones using face unlock because they look similar enough that the biometric security is fooled.
Who Has Your Face and Fingerprints on File?
The worst part is the trust that must be placed in the owners of the database holding your biometric data. In 2019, a security research team found 27.8 million records, unprotected on a security company’s server. The server contained usernames, passwords, and biometric information such as fingerprints and facial scans. This time, it was a security research team, who reported the issue to the company, but a more nefarious group could have exploited that information to generate huge profits. (The Guardian 2019)
The Danger of Biometric Security
The fact is, if your fingerprints or face are successfully replicated (which isn’t very hard), anything that you have secured with them is compromised, and you’ll need to disable biometrics for everything. This means that if your phone, or even the server holding onto your data is compromised once, your biometrics are then compromised permanently.
It is strongly recommended that you use a unique password for every account, that way, if one account is compromised, you only have to change the password for that one, and the rest of your accounts are safe.
Using a fingerprint or facial scan is like securing all your accounts with one unchangeable password – which is a bad idea by all accounts.