July 28, 2021

Are Biometrics the Answer to MFA’s Shortcomings? Probably Not.

Written by

Two years ago, my sister and I were trying to navigate back to the airport after my brother’s wedding. She had a newer iPhone with FaceID, while I was still using touchID to open my phone like some sort of peasant. Since people always said we looked alike, instead of trying to type in her passcode for the 15th time, I thought “hey, might as well try it.” And my face opened my sister’s phone. I thought it was hilarious. Shannon didn’t think it was so funny. But it did mean I could field texts from our mom and run the navigation while Shannon focused on the road.

The problem is, that while my sister and I look similar, we’re not twins. So the fact that my face could unlock her phone is problematic: If I can open my sister’s phone with my face, what sorts of trouble could bad actors with better technology get into?

Companies like Apple and Microsoft are doubling down on biometrics to increase the convenience of access to our devices, while others like Stripe and PayPal are combining forces with companies like Facebook and Google to streamline payments. Are these authorization systems providing safety with security? The answer is unclear.

The problems with our current authentication systems

Current authentication systems are built around single keys that rely on a physical object like an RFID chip, a digital key like a password, a biological trait like a fingerprint, or a combination of the three. This has been described as “what you have, what you know, or what you are.”

Passwords are weak

Even the longest and most random of passwords are weak, because they rely on a person to remember them without relying on a sticky note under the keyboard. And given enough time and opportunity, computer programs can be used to guess passwords by attempting near-infinite combinations of symbols a near-infinite number of times. Keystroke-storing malware can record and transmit passwords, but these tools aren’t even necessary when companies make the mistake of storing or transmitting plain text passwords.

Physical or secondary verification can be spoofed

SMS links and verification codes can be bypassed by SIM-card duplication and social engineering. Yubi keys and similar physical or proximity tools can be stolen and duplicated. Biometric access via face or fingerprint can be faked via 3D printing and gummy prints.

In short, the current tools that we have to secure our digital assets won’t hold up to cybercriminals who truly want to access our information. While our current tools may make most attacks inconvenient enough that attackers target lower-hanging fruit, very few things in our digital worlds are fully securable.

The promise and limitations of biometrics

There’s a lot of buzz about biometrics like iris recognition, face recognition, and fingerprinting. We assume that our fingerprints are unique to us. We assume that our irises are complicated enough to identify us. But how much of that confidence is based in our fundamental misunderstanding or oversimplification of how the recognition software is programmed.

And these tools are becoming more common, although the science beneath them is still a little hand-wavey. While you might think that a fingerprint or face scan checks your whole fingertip or face for a match, they actually only choose a finite number of points to pattern-match. And vulnerability testers have found a surprisingly easy way to fool FaceID with glasses and tape. I’ve seen Gattaca, and I’ve hacked my sister’s phone by being related to her. Even our bodies will betray us by being less unique than we arrogantly believe.

And to make matters worse, our features and skin have a sneaky way of changing over time. Depending on your job or hobbies, your fingerprints may wear away or be altered via scarring. As much as I’d rather not admit it, my face is starting to sag in areas that probably include the 80 or so points crucial to facial recognition software. Imagine being locked out of your phone because you look too old.

More secure may be less convenient

While the dream of biometrics is a Mission Impossible-style world where our bodies are our passcodes, that’s probably out of reach for now. The most secure way we currently have to protect assets is multifactor, despite its apparent inconvenience. I access my kids’ daycare by proving my identity via fingerprint, but I also take comfort in the security cameras and actual person sitting in the front office to protect against unwanted people entering the building.

I feel the same way about using a patchwork of passwords, biometrics, and auth tools to gain access to my data. I keep all my passwords in a password management tool, so I only have to remember a couple of passwords and add secondary verification via SMS or authorization app to keep important data safe. But the inconvenience of being locked out of my email or bank account because I’ve lost my cell phone is a not-insignificant worry.

And in the end all of the Yubi keys and verification codes and 25-digit randomized passwords may just be security theatre to make us so busy attempting to access our own information that we forget how insecure that data really is.