Biometrics: Not a Panacea

Last fall brought news that the victims of the OPM fingerprint breach expanded to over five million prints. It’s for this reason that the safety of biometric data should be questioned and discounted as a viable means for authentication. Multiple techniques are available for using this type of information to create fake fingerprints to bypass biometric scanners, plant false fingerprints, or even falsify applications that need fingerprint data using traditional ink techniques. While vendors gather around biometrics as a holy grail for authentication, it is breaches like this that put the entire concept of biometrics-based security in jeopardy for the masses. Therefore, what is needed to solve this problem is a clear definition of when biometrics should be used for authorization, authentication, and to support two-factor authentication. While these may sound like similar terms, in reality, biometrics should only be used for authorization and never authentication alone.

Authorization, in the simplest terms, is the permission to perform a task. It is the ability to proceed without verifying who you are, or who you say you are. The most common form of biometric authorization used today is Apple Pay. When placing your finger on the touch identification sensor, you are authorizing payment. It is just a permission. Authentication, however, is the verification of you as a person, and who you say you are. It does not authorize you to perform any tasks; it just proves your identity. Authentication is primarily performed today by usernames and passwords, two-factor authentication, smart cards, and other techniques like one-time-passwords. They generally tie secret knowledge to a second physical media or to the creation of a unique code that only you have knowledge of.  The various components of an authentication system are designed to prove your identity, but they do not authorize you as a person to anything.