Why 2019 will prove biometrics aren’t a security “silver bullet”

Over the past decade, technology giants like Microsoft, Google and Apple have been raging an all-out war against the use of passwords with new applications for biometrics.

First came the emergence of fingerprint readers on smartphones, designed to replace PIN codes. Next came Windows Hello, allowing users to log into their computer by simply looking at built-in cameras. Then in 2017, Apple rolled out Face ID, the most sophisticated biometric authentication method for consumer devices to-date. All these technologies came to fruition with one goal in mind – killing off our reliance on passwords as a singular method of authentication. While these moves certainly improved usability, we shouldn’t be so quick to assume that a biometric is inherently more secure than a password. That’s why, as a part of WatchGuard’s 2019 Security Predictions, we anticipate that a major attack against biometrics will showcase its weakness as a single authentication factor.

The push towards biometrics as a replacement to passwords is at least grounded in logic. According to Verizon’s 2017 Data Breach Investigations Report, 81 percent of breaches leveraged either stolen or weak passwords. Password re-use still runs rampant and users are often conditioned to meet the bare minimum requirements of corporate password policies. The National Institute of Standards and Technology (NIST) even tried shaking up their password guidelines recently—removing length and complexity requirements in favor of passwords that are easy to remember but hard to guess—in an attempt to combat account takeover attacks. These changes aren’t enough to save password authentication though, thanks to ever-increasing phishing attacks and credential database breaches.

With password security at an all-time low, you might agree that the best move would be to do away with them entirely and use a biometric alone for authentication instead. Microsoft appears to be moving that way, announcing “the end of the password era” at its annual Ignite Conference in 2019, where they released password-less authentication to many of their cloud services. Instead of typing in a password to login, users instead just use their fingerprint and the Microsoft Authenticator app to access supported apps. While it’s true that you can’t choose a bad password if you don’t have to choose a password at all, biometric authentication isn’t perfect, which means there’s usually a password saved somewhere to act as a backup. If an attacker compromises that password, they can simply bypass the biometric.

Biometrics aren’t immune to attack either. Back in 2002, a Japanese security researcher was able to achieve 80 percent success fooling biometric authentication using melted gummy candies to replicate lifted fingerprints. While fingerprint reader technology has improved over the last 15 years, it isn’t without fault. Just last year, researchers from New York University and Michigan State University used machine learning to create a fingerprint “master key” with reasonable success in a simulated environment.

Attackers might not even need to use AI to generate valid fingerprints. In 2015, foreign hackers breached the United Stated Office of Personnel Management (OPM) and made off with troves of data, including 5.6 million sets of fingerprints from US intelligence agents and other government employees. These same hackers likely have access to biometric-spoofing technology more sophisticated than gummy bears as well. Worse yet, consider the fact that you can always change your password after a breach. But, how easy is it for you to change your fingerprints?

Apple’s Face ID is a good example of strong biometric-based authentication for consumer devices. While a Dutch non-profit was able to unlock 38 percent of Android devices using just a portrait photo of the owner, Face ID uses thousands of infrared dots paired with an infrared camera to build a 3D map of the user’s face, thus increasing its efficacy. That said, even Face ID isn’t perfect. It only took a group of Vietnamese hackers a few weeks, a 3D printer, and a few other inexpensive tools to create a mask that fools Face ID.

As you can see, biometrics alone, aren’t enough. Just like the passwords they replace, biometrics have their weaknesses. That isn’t to say biometrics are useless, just that they suffer from the same flaws as password-based single-factor authentication. Whether by using a 3D-printed face, creating a set of fake fingerprints, or simply cracking a weak backup password, it’s much easier for an attacker to breach an account that isn’t protected by at least two authentication factors.

Multi-factor authentication (MFA) increases security by pairing two or more different types of factors so that attackers can’t easily breach an account if one factor is stolen. The different factors should include something you are (a biometric), something you know (a password), and/or something you have (your mobile phone, a digital certificate, or a hardware token). MFA used to be out of reach for smaller, less sophisticated organizations because they usually relied on hardware tokens that were expensive, and difficult to deploy and manage. But these days, almost everyone carries a smartphone, meaning cloud-based multi-factor using mobile apps is within reach for any company.

Unfortunately, a preference for convenience and familiarity often outweigh security best practices. As such, we believe that users will continue to rely on biometrics as a single form of authentication, which will result in a major breach leveraging hacked facial recognition or fingerprint scanner technology in 2019. This major biometric hack will illustrate the weakness of single factor authentication in any form, and hopefully usher in a safer, more secure era of widespread MFA use.

When paired with another factor, like a strong password, biometrics can drastically improve security. That said, one of the most important aspects of information security to remember in 2019 is that biometrics are anything but bulletproof, making them potentially just as risky as passwords when used on their own.

Corey Nachreiner, Chief Technology Officer at WatchGuard Technologies

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.