Biometrics done wrong

In the tech industry, we are used to buzzwords sweeping through the media and general cultural awareness that had a very narrow technical origin. It gets complicated if that meaning gets lost in translation, but the hype remains.

“Biometrics” has started to take on that form. Let us unpack it a bit and see where it should and should not go.

The narrow technical meaning of biometric data is simply that it’s data  based on the biological characteristics of an individual. Note that this does not imply uniqueness. Your height is biometric data, but it is not unique. There are, however, pieces of biometric data that are unique. We have been using fingerprints since before the digital age, because of their uniqueness. With modern techniques, we can measure quite a few new biometric data points for an individual. Some of these new metrics are even unique. A key thing to note is that many of these biometric data points are not changeable in any practical way, making them permanent identifiers per individual.

Identifying an individual is a vital part of any modern system. Logging in is a verb we have stopped thinking about long ago. It allows us to interact with a system in a personalised way. These types of personalised interactions can become immensely powerful and the system, therefore, needs to be entirely sure about the identity of the user. A distinction should be drawn between identifying yourself and securing the interaction – these are two different steps. You identify yourself with your username or email or another unique identifier. Then you gain access to the power of the system by unlocking it with a password that no one else knows. Identification and authentication are distinct concepts even though the classic login does both at the same time.

Biometric data that is unique to an individual can be used for identification. But here is the big mistake that many people make: biometric data is not suited for authentication. A key part of an authentication system is that it relies on secret knowledge. You prove that you know or have something that no one else could possess. This sounds a lot like biometric data! But your fingerprint is not something you know and can change your mind about. Your fingerprint is not something you have and can replace with another one from a supplier. Your fingerprint is part of who you are. Using your fingerprint to log in to an online service is equivalent to using your email address as your username and password.

Then there is the issue of breached security. I can change my login password, put new locks on a door, and create a new RSA certificate. But I cannot change my fingerprints or my face or retina. If that data were to become available anywhere else that is not under my control, it stops being useful for authentication. Forever. My fingerprint geometry on the dark web means that no system that relies on my fingerprint being attached to my finger and my finger only is secure anymore. Using my face for authentication is nixed by the existence of Facebook, Instagram, or any other social network.

Do not use biometric data for access control or authentication.

But. There is always a but. You would have noticed earlier that authentication relies on the possession of specific knowledge or a thing and proving that to a third party. If that third party is actually myself, an interesting gap emerges for biometric authentication. Here is how it works. I have a safe in my house and I have the only key to that safe. In that safe, I store my access key to the secret lab where I work. The only person that should ever have access to that safe is me. In opening the safe, I am identifying myself and giving implicit authentication for that access because I set it up. Note that my biometric data never actually leave my control, and it is not shared with the secret lab where I work. Additionally, the lab now has a higher degree of confidence that the access key they gave me is something that has not left my possession either.

In practical terms, this means that the use case for “biometrics” is securing local storage. Use the fingerprint reader on your phone or laptop to unlock it. Do not use it to log in anywhere or let it leave your device or direct control.

Using biometric data for tracking is a whole different story though. But that only involves identification. The secret lab where I work says it is ok.

Planning to build an app? 

Try our free software development calculator to maximise your ROI.

Request for Access to Information

The following forms are available to download with regards to request for access to information: