Your Face Is Not Your Password

In recent years there have been an influx of different biometric authentication methods. The latest horse in the race is the Apple’s iPhone X Face ID.  Although face recognition is not anything new, it surely adds it’s own twist in to the game. Apple promises that it’s algorithms can not be beaten by photographs or prints but currently Face Id is Apple’s proprietary technology and can not (yet) be tested by independent  security researchers.

Authentication systems rely on things that you either own, known or are. Basically these things are passwords and codes (you know), smart cards and other tokens (you own) or your fingerprints and face (you are). If your password is compromised you can usually easily replace it with new. Same with smart cards and tokens, you or your company revokes them and they cease to work. Biometric systems are problematic in that case that if your fingerprints or face gets compromised you won’t get a new one. And problem with finger prints are that you constantly leave them around – In your workplace, house and car. Same is with your face – You share photos of your self in Internet, you get photographed with out your consent.

One great concerns in biometric authentication methods is that if forced it can be hard to deny use of them. If law enforcement forces you to open your device by pressing your finger to the sensor by force you cannot stop it from opening. In 2016 LA court ordered Woman to open her iPhone with her fingerprint [Forbes]. Face recognition maybe harder to fool but you cannot deny that your don’t know the access code since it is your face!

Instead of treating biometric authentication methods as passwords, they should be treated as your username. You can easily share your username – now days many systems use your email address as username or as identifying value. And you don’t keep that information secret – If your colleague or your friend asks your email you don’t hesitate to give it with out realising that it is your Netflix and email services username.

In the past many of the biometric authentication systems have been compromised soon after the launch. Fingerprint sensors have been fooled by special paper and face recognition systems by 3D printed facial models.

  • Night mode photograph and special contact lens to fool Samsung S8 iris scanning [The Verge]
  • Fingerprint printed on to a special paper [Naked Security]

Using biometric authentication methods in conjunction with passwords and tokens you can create strong security. Just don’t believe what marketing department tries to feed you.


Leave a Reply

Your email address will not be published. Required fields are marked *