Person tapping a biometric identification app on a smartphone.

Biometric authentication using your face or fingerprints is super-convenient and feels futuristic and secure. However, that may be a false sense of security thanks to weaknesses biometric systems have. If you know what they are, you can use biometrics responsibly.

Your Biometrics Can’t Be Changed

The biggest problem with using measurements of your body as an authentication system is that you can’t easily change them if that information is hacked. When your password information is inevitably leaked or cracked, all you have to do is change your password and the attackers are back to square one.

If your biometric data is compromised, you can’t exactly change your fingerprints or iris patterns. That’s not to say your biometric data is ruined forever. It’s possible to move to higher-fidelity scanning systems that capture more detail than older systems.

The folks who build biometric security features do have ways they can hide your raw fingerprint, facial scans, iris images, and whatever other body part you’ve scanned in. By applying encryption methods that can’t be reversed without a key, it does offer protection from traditional hacking.

The problem is that a dedicated attacker can always find a way to access your raw biometric data. Whether it’s through a data breach or physically lifting your fingerprints from a soda can, where there’s a will there’s a way!

You Can Be Forced to Unlock Biometric Systems

3D rendering of a dark room for interrogation.

Let’s imagine that you’ve just landed back home after an international trip and you get stopped at customs. You hand over your phone for inspection, but it has a biometric lock so there’s no way the customs agent can root around in it, right? Without skipping a beat the agent turns your phone towards you and it promptly unlocks after seeing your face.

In situations where the authorities can physically manipulate you, they can do the same thing with fingerprint scanners, by forcibly placing your finger on the scanner.

Maybe you’re not worried about government authorities accessing your data using your biometric data, but what about criminals? The idea of a criminal forcing their victims to unlock systems using biometrics should be unpalatable to anyone.

We wear our biometric data for all the world to see, but passcodes and passwords live in our heads. For now, there’s no easy way to extract that. You can always “forget” your passcode or provide the incorrect one enough times to wipe your device.

Biometrics Have Unique Hacking Opportunities

Every type of authentication system has its own unique opportunities for hacking. When it comes to biometrics, what hackers need to do is find some way to spoof your biometric data or capture it. As technology advances, it becomes possible to capture biometrics without the victim ever knowing.

In 2017 scientists managed to pull fingerprint data from photographs taken at up to 3 meters away. Smartphone cameras have come a long way since 2017 and modern phones could probably capture enough detail at longer distances, not to mention that most phones now sport at least one telephoto camera.

Iris scans aren’t safe either. In 2015 a professor at Carnegie Mellon detailed how long-range iris scanning could work. A technology that can scan someone’s irises as they glance in a rear-view mirror or from across a room.

These are just two examples, the principle is that current biometric data is always at risk of being captured and replicated. The same goes for future biometric data, such as shed DNA combined with DNA “printing” as one possible example.

How To Use Biometrics Responsibly

The weaknesses of biometric authentication don’t mean that you shouldn’t use it at all. However, it’s not a great idea to have truly sensitive information behind a biometric lock. It’s better to use MFA (multifactor authentication) for highly-sensitive data or applications that don’t include biometrics or only have them as a single factor.

You can also have a secure vault on your mobile devices that need another layer of authentication. Samsung’s Secure Folder feature is a good example of this.

Finally, most devices that offer biometric authentication also offer a biometric “killswitch”. This is a shortcut or action you can take to instantly disable biometrics. For example, you can say “Hey Siri, whose phone is this?” to your iPhone and the phone will immediately fall back to passcode authentication.

It’s a good idea to look up the biometric killswitch equivalent for the devices you use so that you can make use of them if the need ever arises.

RELATED: What Is a Physical Kill Switch, and Does Your PC Need One?

Profile Photo for Sydney Butler Sydney Butler
Sydney Butler has over 20 years of experience as a freelance PC technician and system builder. He's worked for more than a decade in user education and spends his time explaining technology to professional, educational, and mainstream audiences. His interests include VR, PC, Mac, gaming, 3D printing, consumer electronics, the web, and privacy. He holds a Master of Arts degree in Research Psychology with a focus on Cyberpsychology in particular.
Read Full Bio »