Biometrics are increasingly popular as a method of authentication. But are we all aware of the threat they bring. Could the Biometric Apocalypse one day become a reality? I hope not.
Biometrics are all the rage. They displace passwords and PINS, and all you have to do is smile at your device to be recognised and allowed immediate access to all kinds of Internet based services. User Experiences don’t get any better than that. For improved security a biometric is most often part of a multi-factor authentication scheme.
Traditionally multi-factor authentication depends on some combination of the classic three factors –
What you possess
What you know
Who you are
But just two factors are normally regarded as sufficient. We all (well nearly all) possess a smart phone with an embedded SIM card which makes that phone unique to ourselves. It is also equipped with a very good camera.So that is all we need for two factor authentication right there. Only if we possess that phone and if our smile is matched to the biometric facial recognition template embedded inside its secure enclave, will we be allowed access.
So it’s two factor authentication based on what-you-possess plus who-you-are. We have apparently done away with the what-you-know component most often associated with the much hated password (and overlooked its’ much more user-friendly cousin, the low-tech but effective PIN number -https://miracl.com/blog/in-praise-of-the-humble-pin-authentication-security-solutions/).
One problem with the mobile phone plus biometric method is that both can be stolen from us. As I have argued before, a biometric is in reality the equivalent of a Username rather than a Password. By its very nature it is public knowledge. Unless we live like hermits, we are actively pushing our biometrics out into the public domain on a daily basis.
(Of course many of us have been living as hermits during the recent pandemic, and vainly trying to authenticate while wearing face masks – but that’s another story.)
The utility of a biometric in the past depended on the difficulty an attacker might have in duplicating it. But with pervasive use of CCTV and forensic tools, biometric capture on a massive scale is now already happening. Paradoxically the more widespread the use of biometrics, the less real security they offer.
We worry when we hear of a massive security breach when a large company’s password database is hacked. Surely it should be equally concerning that massive biometric databases are being built up as governments and private companies quietly hoover up and harvest our “biometric passwords”. It is only a matter of time until these databases fall into the hands of bad actors, as a black market in harvested biometrics becomes available on the dark web with devastating results. That’s the Biometrics Apocalypse.
Of course some biometrics are better than others in this regard, as they may be harder to get at. Like a fingerprint, or a heart-beat, or iris recognition. The trick is to find a biometric which is unique to each of us, easy to measure (for that vital good user experience), but hard to duplicate. Each will have a lifetime, but nevertheless its security value will inevitably erode over time.
Biometrics are having their day, but they will prove to be a short-term stop-gap solution. There is trouble ahead.
A final thought. People will often question us on the damage that a quantum computer might do to cryptography. And of course such an amazing invention would indeed do significant damage. But the extent of that damage is well understood, and the cryptographic community are already putting the finishing touches to new cryptographic techniques that are immune to quantum computing.
There is actually a book out there entitled “Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today’s Crypto”.However no-one seems to be worrying about, or be preparing for, the Biometrics Apocalypse, which requires nothing more than a simple extrapolation of existing computing resources.
Dr Michael Scott is Chief Crypto Officer at MIRACL, one of the pioneers of Pairing-based Cryptography and the “S” in the widely used BLS and KSS families of elliptic curves. Following a distinguished career of almost 30 years at Dublin City University and an active consultant to both public and private sector, his unmatched depth in knowledge is drawn not only from his academic expertise - he’s published over 100 highly cited papers – but his genuine love of cryptography and the science behind this.