Top

Is biometrics more secure than passwords?

For more than 100 years, trained fingerprint experts manually performed this task by lifting them from the scene of a crime.

When I show up at my office at Alandur for work, I am required to flash my ID badge to the ID reader to gain access into my office. Likewise, when I open up my laptop, I need a login to log into my computer, and a PIN at the ATM to retrieve my cash. Similarly, when I get to the airport, I need an ID to board a flight.

But the human mind is fallible, we may at times forget the login password, or the PIN for the ATM or we may leave behind our ID. If not, somebody might hack our password, steal our ID badge or sniff our credit card as it happened to Jason Bateman in the 2013 comedy film Identity Thief directed by Seth Gordon. Under such circumstances, how does one retrieve, secure and protect one’s data, and one’s assets, and one’s identity? The simple answer could be biometrics.

When we contrast biometrics with conventional forms of identification where we are required to carry something such as an ID, driving licence or passport or remember something, such as the password or PIN, biometrics is extremely convenient as it is something which is always a part of us or we have on us, and something we would never have to worry about forgetting. Biometrics is us.

Biometrics is a signature of physical features or biological attributes, the most common being the fingerprints which police have used for more than 125 years to identify criminals. For more than 100 years, trained fingerprint experts manually performed this task by lifting them from the scene of a crime. Today, with rapid developments in computers and sensor technology, people have started to move away from inconvenient and insecure passwords to technology-based biometrics, which has become incredibly cheap, convenient and comfortable.

Technology-based biometric systems measure attributes such as ridges on the human fingers or the distance between features on the face or the wavelength and the frequency of one’s voice. By rendering them into zeros and ones, it enables the image or data to be contrasted or matched against a database of hundreds of millions of biometric details of others in a few seconds. Growing capabilities and falling costs of such technology, has led to a fast-paced proliferation of biometrics with a prediction of 3.2 billion users by 2020, primarily due to the belief that biometrics are more secure than passwords.

Biometrics is everywhere today. In Chennai, the city where I live, I have to scan my fingers to gain entry into the gym where I am a member or when I go to dine at the local club where I am a member or to unlock my iPad. Numerous offices. both Government and Corporate, use biometrics for attendance as well as identification. If so, do you think that it’s a good idea for your gym or your club or your hospital or your apartment building associations to be the owner of your biometric details? Mainly, when they have entirely no expertise whatsoever when it comes to protecting and safeguarding your biometric data.

Passwords are not things; they are one’s intangible personal knowledge. They can be memorised or stored in password managers. They are inconvenient as it is difficult to remember a password which you had devised a year ago. It also means that they are hard to compromise. The same can’t be said for biometrics. Biometrics like face, fingerprints etc. can be obtained by taking a picture or picking it up online or from any surface. Prints can be lifted from a beer can, or from the table one just touched or the glass from which a person sipped his water or the door which was pushed open by him.

If so, is biometrics safe? On the surface, biometric authentication sounds like the perfect security solution. After all, you are the only person with your unique fingerprints and DNA. But it turns out that biometrics is not as safe. As was made evident by a report from National Research Council which concluded that biometrics is intrinsically defective because the system isn’t recognising your fingerprints directly, but instead it only recognises the digital version of your prints which can be stolen like a password.

For a tenacious and brave criminal, it’s easier to commit theft of a fingerprint than a password, as it’s conspicuous on our body at all times, and we give it away every time we touch an object or a surface. Once an image of the print is available, it’s easy to make a model. Today, 3D printers have become common, and few experts have a figured out a way to fool the fingerprint scanners.

That’s not to say that biometric authentication is unreliable, it can be reliable if another form of authentication accompanies it. Risks apart, both the government and private sector are in a hurry to create a database of biometrics, either with or without our permission to use the data either for us or against us.

India is being watched for having created the world’s largest government biometric database called Aadhaar. The Aadhaar database had collected fingerprints, iris scans, and photos of more than a billion Indians and uploaded the details to a national database. It has provided a unique 12-digit national ID number to every subscriber in exchange.

The Indian government believes that biometrics could be the answer to improve delivery of government services to the population. But human rights activists in India and abroad fear that the data could be hacked or misused even when India’s government is counting on high-tech encryption, multi-layered authentication, and 13-feet high walls to protect the world’s largest biometric database.

Allaying the misgivings of the activists, the Supreme Court of India, in September 2018, ruled that Aadhaar does not violate privacy rights although the panel of five judges decided to place a few restrictions.

While a national government biometrics database could be a useful tool in catching criminals and terrorists, it is not without its privacy and security risks, as the government of Israel discovered in 2011. In the Israeli case, then the country’s primary national biometric database containing the name, birth date, national identification number, and details of next of kin of nine million Israelis - living and dead - was stolen entirely. The stolen database also contained information on the birth parents of several hundred thousands of adopted Israelis as well as detailed health information on citizens.

More troublingly, after the data was stolen, the database in its entirety was uploaded to the Internet where deluges of confidential details on Israeli citizens became freely downloadable. Investigations conducted into this episode revealed that an inside job had stolen the database, by a white-collar criminal, not by any hostile intelligence service or an enemy hacker.

Going by this incident, the claim of any government biometric database that its data would never be compromised is inherently absurd. Can any government claim that its national disaster management program is foolproof enough to prevent disasters from happening? What is also not preventable is the misapplication of data for state surveillance and targeted intimidation. How can anybody who has submitted his biometric data be confident that the government will never become totalitarian or anti-democratic?

Biometrics may offer many advantages. We may forget our passwords, but we will always have our fingerprints on us. Though biometrics can solve some problems, they have the potential of creating more severe problems. Today, if we become affected by identity theft, or if our password of Facebook or Twitter or bank account is hacked we can reset our password, but if our biometrics is stolen, there is no reset. Fingerprints being permanent identification markers, once stolen or hacked they go out of our control forever.

Our biometric details which are available with our gyms, clubs, mobile phone companies are extremely vulnerable to theft and hacking. They can be hacked or stolen effortlessly. If the future of identity is all about biometrics, then the future of identity theft would imply compromising our biometrics through hacking and theft of our biometrics. Hackers and scammers are already busy devising methods to hoodwink the existing biometric systems. Biometrics is convenient, but they are not more secure than the passwords.

Finally, Biometrics is related to the human body while spirit or consciousness is eternal. Biometrics has now discovered an application to measure consciousness at Sofia University in Silicon Valley. With biometrics, it has become possible to quantify states of awakening and provide persistent inner peace.
Similarly, Danielle Roberts at her Meditation Lab in the USA has been investigating if spirituality can be measured and if technology and meditation can be used to increase a feeling of connection with ourselves, the world and each other. To achieve this, she has developed a Silence Suit: a wearable that measures one’s biometric data while meditating.

Biometrics is therefore not just applicable in our physical world but in our spiritual realm as well.

( Source : Deccan Chronicle. )
Next Story