Biometrics are very powerful, but if handled improperly, very dangerous. With great power comes great responsibility.
How do you prove that you are who you say you are? That’s the fundamental question underpinning so much of what we do online. Our answers are varied: Passwords. Numerical codes. And, increasingly, biometrics.
Biometrics are broadly defined as an aspect of someone’s body that is unique to them and very difficult — or even impossible — to reproduce. And while we’re most familiar with things like fingerprints and face scans, Avast’s Director of Trust Services, Drummond Reed, says that the category can also include a palm scan, DNA scan, typing pattern, walking pattern — even a photograph.
“As a general rule, biometrics are extremely difficult or impossible to change,” Reed says. “You can change your name or even your social security number. But you can’t change your DNA, for example.”
In order to be used to identify online, though, your biometric has to be digitized. When you take a biometric (like a fingerprint, for example), it’s transformed into a “biometric template.” That template is then compared to your actual, physical biometric to verify that you are who you say you are — and you’re allowed access to whatever you’re trying to access.
As an example, Reed points to a very analog biometric template: A driver’s license. Your driver’s license includes biometric information about you, including your photo, height, weight, and eye color, as well as other information about you, like your birth date, address, and what type of vehicle you’re allowed to drive.
When someone looks at it, they can compare what’s on the license to what they see in front of them, i.e. you. If they’re satisfied that your biometrics (photo, height, weight, eye color) match your biometric template (your license), then they can reasonably assume that the other information about you (address, birth date, and so on) is also accurate.
When we’re talking about digital biometrics, that biometric template isn’t something that the “owner” of the biometric can actually see or hold. Instead, it’s stored either directly on a device, as is the case with Apple products, or in a database in the cloud or another server.
Plenty of people are nervous about the collection and use of biometrics, which is a very reasonable response. After all, while you can change a password, you can’t change your fingerprint. (At least not easily or without a lot of money.) So if your biometric data is compromised, there’s a real possibility that it could be used against you — and you’d have very little recourse.
Other issues with biometrics lie in their abuse by governments and government representatives. For example, in some states in the United States, police are within their rights to force you to open your phone with your fingerprint or face scan — but they’re not allowed to force you to enter your passcode.
In China, the government collects a huge amount of biometric data, ranging from face scans to voice patterns to “gait recognition” (a biometric that identifies people by their unique walking style and pace). During the 2014 democracy protests in Hong Kong, protestors carried umbrellas and wore masks and helmets to keep their identities secret from government surveillance. And when the US military left Afghanistan, they left behind the biometric data of Afghans that they’d collected in order to identify terrorists. That information is now in the hands of the Taliban and could be used to fuel retribution against Afghans who participated with the US.
The disadvantages of using biometrics online are clear — but there are also some major advantages. Biometrics are not only convenient but they’re also very difficult to misuse. While biometric databases have been hacked, it’s important to note that the technology required to truly utilize stolen biometric information isn’t readily available — yet.
But just as criminals have figured out ways around every other authentication system we’ve created so far, so too will they undoubtedly figure out ways to get around biometrics. That’s why it’s so important for the cybersecurity world to act offensively and stay at least one step ahead of the cybercriminals with our security solutions.
Reed points to Apple’s implementation of biometrics as a good example of how it can be done in a privacy-preserving way. The company keeps your biometric template on the device itself, not in a remote database. That means it’s not in danger of being stolen if, say, a database is hacked.
Because they don’t require humans to remember anything, biometrics are also head and shoulders better than our current prevailing verification method: passwords. But, just like passwords, biometrics can be hashed and salted (aka scrambled up so thieves can’t read it), which means they can be stored on a database.
“A biometric database is not inherently a bad thing, but there are very few people in the world who know how to do it safely,” Reed says. “That’s why biometric databases are considered not a great idea. In the privacy world, it’s a tool that you want to use very, very carefully. In every project I’ve been part of that involved biometrics, the goal was not to put them in a remote database.”
Reed also points out that the very thing that makes biometrics powerful for online verification — the fact that they truly are unique to the individual — also gives them a very high level of assurance when it comes to verification. And, even though they’re particular to you, they can be anonymous.
“All you’re doing is matching the fingerprint, face scan, etc., to the template,” Reed says. “It can be very privacy-preserving. Almost nothing else fits that category — it’s a pretty powerful thing.”
While it would be great if we could easily classify all things as “good” or “bad,” the truth is that almost everything falls into the gray areas between the two. That includes the use of biometrics for online verification.
“The net of it is, I’m actually very bullish on biometrics, but only when used properly,” Reed says. “It’s just like handling radioactive substances. They’re very powerful, but if handled improperly, very dangerous. With great power comes great responsibility.”
eIDAS 2.0 continues to move swiftly. Avast recently teamed up with the Intesi Group to co-host a webinar discussing the latest developments of the effort.
Yesterday, the W3C approved Decentralized Identifiers as a new web standard. Here's what it means for digital freedom.