Hey, iOS users. Let me ask you a question. Do you use the Touch ID fingerprint scanner to access your iPhone or iPad? Actually, anyone with a PC or mobile device that offers biometric security–fingerprint scanning, facial recognition, etc.–do you use it?
Bonus question. Prior to Touch ID, or Windows Hello, or whatever biometric security technology you’re using, did you use any security at all on your mobile device or PC? Many people did not, because it was too “inconvenient”. Biometric security may not be perfect, but in my opinion it has made us infinitely more secure by allowing even the laziest among us to have security enabled at all.
The concept of biometrics is not new. International super spies have been accessing top secret information with fingerprint and retina scans, voice recognition, and other biometric methods in movies and TV shows for decades. Things like facial recognition and fingerprint scanning have finally made their way to mainstream devices used by average consumers, though, which raises the question of whether or not they provide adequate protection—or if they are more or less secure than the traditional username and password.
Better Than Nothing
It may not be a very convincing argument, or a compelling endorsement of biometrics, but biometric security is better than nothing.
There is an individual who has reached out to me a couple times—Hitoshi Kokumai. He believes that biometric authentication that substitutes for traditional passwords or PINs is inherently less secure than the password or PIN. He created a short video explaining that biometric authentication provides a false sense of security and results in “below-one factor authentication.”
Kokumai is generally correct and makes a number of good points. A password or PIN would still be safe, but someone could unlock your mobile device with facial recognition or your fingerprint while you are asleep or unconscious. The part I agree with most in the video is the idea that requiring both a biometric method and the password or PIN—in other words, implementing two-factor authentication—would be exceptionally more secure than either of those methods by itself.
Ultimately, I disagree with the “sky is falling” premise, though, on the grounds that biometric authentication is infinitely better than no protection at all. It’s also better than using simplistic, easily guessed or cracked passwords and PINs like “password” or “1234”.
How effective biometric security is depends on your perspective. If you’re looking at it from a pure security standpoint, and trying to find ways to provide as much protection as possible against all kinds of attacks, then biometric security has some flaws and pitfalls that might make you think twice. If, however, you’re looking at it from the perspective of people simply choosing not to enable security at all or choosing stupid PINs like 1234, biometric security is an exponentially better choice.
Prior to Touch ID, many iPhone users—my wife and kids included—just had no security at all. Many people decided it was too tedious to enter a 4-digit PIN every time they wanted to use their smartphone or tablet, so they just didn’t enable passcode protection. There were also a significant number of people who implemented a PIN, but chose to make it something simple to remember—and therefore also easier to guess or crack.
Read the full story on Forbes: Even Poor Biometrics Are Better Than No Security At All.
- Julie Smith Shares Identity Security Guidance for 2023 - January 19, 2023
- Mark Thomas Talks about Threat Hunting - January 5, 2023
- Malcom Harkins Talks about Ethical and Legal Obligations of the CISO - October 20, 2022