If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different.

– Bruce Schneier

The popularity and availability of information technologies are constantly increasing. And at the same time increases the number of threats associated with their use. The main one is the danger of critical information leakage – both personal and corporate. Thus, today data protection is the most important area of computer security experts’ work.

The first and foremost method to prevent unauthorized access to any confidential information is to keep a wary eye on the legitimacy of users who have an access to it. The modern level of technology development allows solving this problem quite efficiently.

More and more often different companies introduce two-factor authentication. In 2FA entering the login and password is just the first step. The additional step of authentication is the use of the one-time password. But to put an insurmountable barrier for hackers, we need one more obligatory component: the users’ desire to apply the experts’ achievements and to follow their recommendations. Yet, modern users want authentication to be not only reliable but also easy. That is why they not always activate 2FA on their accounts.

Biometric authentication has become one of these easy ‘magic’ tools, which can make 2-factor authentication more popular. It seems what could be easier and more reliable? Each person has unique fingerprints, voice, facial features. They are always with us, we cannot lose them. And modern gadgets are advanced enough to read and analyze these identifiers.

Not only ordinary people but also serious organizations fall for biometric magic. British banks have introduced biometric fingerprints for customer’s login. This technology has long been used to unlock the Apple’s smartphones. Now, this feature is being introduced into new Android smartphones models. Master Card is working hard to introduce selfies as the authentication method. Among other popular biometric authentication methods are the retina or iris scanning, authentication by a finger or palm venous patterns, by voice, pulse or even selfie.

Is it convenient? Yes. Is it reliable? Well, this needs further investigation.

What dangers can we meet using biometric authentication?

Imperfect equipment. Since any biometric parameters are usually checked with average smartphones, which differ in quality, there is a probability of false negative result. For example, the system may consider the fingerprint suspicious because of a simple cut on a finger. Thus, it may refuse to recognize the authenticity of the owner of the account. In the case when the system uses multifactor authentication, and biometric data is just one of its components, the identification can be realized by an OTP (one-time password). But when biometric authentication is used as the second factor of 2FA (two-factor authentication) there is no possibility of one-time password check. The user will never be able to sign in because of this false alarm. Not only law-abiding citizens use the fruits of technical progress. Attackers quickly become aware of the latest technological innovations. For example, several years ago there was a program that allowed you to add to a video a virtual replica of the person’s photo in real time. Today hackers can use such program to cheat the face scanner. They can show the dynamic moving video clone of the person, whose account they are trying to compromise. The same trouble is with fingerprints. They may be faked easily by a three-dimensional latex mold or glove. Even a high-resolution photo of a potential victim’s palm is enough for the initial sample. It’s difficult to recover the compromised data. If the password is intercepted, you can change it in a couple of minutes. The recovering of a stolen credit card or hardware OTP token takes a bit more time, but it’s still possible. But in the case when the biometric parameters, which belong to the person from his or her birth, are compromised de facto the identity stealing takes place. The biometric parameters cannot be changed as easily as the password or electronic card.

Is it worth to use biometrics for authentication?

As an extra option for multifactor authentication, or in cases not connected with the access to especially important information, the use of biometrics is appropriate. For example, if the fingerprint acts as a pass in a gym, it is quite convenient. There is no need to carry a membership card all the time.

When it is not a gym, but a bank account, it is more reliable to use other authentication methods. Such proven tools like tokens or OTP passwords delivered via SMS will protect important information much better than newfangled retina scan.