Biometrics offer an alternative kind of security, but at a cost
Apple recently released its new iPhone, the 5s, which is one of the first widespread consumer devices to use biometrics as a primary security feature. The phone allows users to unlock the phone, as well as pay for apps and media using their fingerprints.
It is a smart security move, especially since many users don’t even use a pin number on their phone. However, it does has some privacy implications users should consider. The fingerprints are supposedly encrypted and stored locally, and the phone is not supposed to send them to any other servers. On the other hand, with the recent NSA leaks, many are cautious about letting a device record their fingerprints.
There are both pros and cons for using fingerprints and other biometrics for security. Fingerprints are especially good as an authentication factor in multi-part verification. Alone, however, they don’t offer much more security than a password (especially in the case of the iPhone which can still be unlocked with the password).
Fingerprints are by no means password replacement. Even as hardware costs come down and as fingerprint scanning technology becomes more accurate and commonplace, there will still be many cases where passwords and accounts using other forms of authentication will provide stronger security.
In short, using fingerprints in addition to passwords makes for a more secure system. However, substituting fingerprints for passwords does not offer any additional protection.
Passwords can be weak or strong, but most fingerprints will have the same level of complexity. Spoofing a fingerprint sensor is challenging, but getting access to someone’s fingerprint isn’t. Someone could get your fingerprint just by quietly borrowing your mug after you finish your morning cup of coffee. You leave your fingerprints everywhere.
With the annoyance of remembering and managing the passwords to the many accounts we deal with each day, many are on the lookout for a solution that replaces that hassle. However, despite the risks weak passwords introduce, and the annoyance of keeping them complex enough to prevent them getting hacked, passwords will continue to be a vital part of any security system for the foreseeable future.
In the battle of fingerprints vs. passwords, fingerprints win in several categories by being
- usable without needing to remember anything
- impossible to share
- difficult to use without consent
- not susceptible to weak password practices
On the other hand, passwords beat out fingerprints by being:
- safe from false positives
- easy to change
- easy to enroll accounts
- cheap to start (especially for systems with many user accounts)
- compatible with any device without specialized hardware
- a mature and proven security technology
- safe to store with third parties
- anonymous
- useful for users with multiple accounts
Fingerprints are nowhere near ready to replace passwords. Nor should we want them to be. That is because, despite their weaknesses, passwords also have their strengths. Fingerprints have advantages in certain areas, but passwords win out in others. Which is better greatly depends on the situation. Neither method alone is better.
However, when you use password with a second factor of authentication, there is a significant jump in the level of security. Multi-factor authentication requires users to present two of the following: something they know, something they have, and something they are. Passwords are in the ‘something they know’ category. Biometrics such as fingerprints falls into the ‘something they are’ category.
If you’re looking for a better way to manage password resets on your mainframe, or need the added security of multi-factor authentication, check out ReACT by ASPG, Inc.
