Traditional passwords nowadays are a weak point as data leaks happen quite often. More and more companies decide to change the approach and adopt biometrics. However, no one is immune to identity theft and there already have been several actual cases of losing biometric data.
To raise awareness on the topic and show that such data requires strong security regulations, Kaspersky distinguished several dangers of unsecured biometric data:
- Stranger-danger. In order to set face or touch recognition, the system usually requires one sample of a finger or a face. Hence, it is possible for a user to fail authorization due to lighting conditions or such changes in their appearance as glasses, beards, make-up or aging. On the contrary, it allows cybercriminals to steal this sample and use it according to their malicious aims.
- A password for a lifetime. It is not a problem to change a password consisting of numbers and letters, but once you lose your biometric data you lose it forever. The problem with touch recognition can partially be solved by leaving only 2-4 fingerprints, leaving others for emergency cases, but it is still not safe enough.
- A digital locker. Existing «digital lockers» rely on cloud-based help – biometric matching usually happens on the server side. If successful, the server provides the decryption key to the client. That increases a risk of a massive data leak – a server hack might lead to the compromising of biometric data.
- Biometrics in real life. There are two cases when an ordinary person can encounter biometric authentication. Firstly, banks try to adopt palm scans on ATMs as well as voice authentication on phone-based service desks. Secondly, individual electronic devices use touch and face recognition. However, biometric security is not yet fully developed and there are such constraints as CPU power, sensor price and physical dimensions, so some users have to sacrifice system robustness – some devices can be fooled by a wet paper with fingerprints generated using an ordinary printer or gelatin cast.
To secure biometric data, Kaspersky recommends:
- employing stringent security measures against breaches of traditional logins;
- for businesses it is needed to improve ATM design so as to prevent the installation of skimmers or establishing control over the security of ATM hardware and software.
As for biometric identification technology in general, for now Kaspersky recommends using it as a secondary protection method that complements other security measures, but does not replace them completely.