Is Biometric Identity Secure?
In the last few years, we have seen the rapid rise and fall of biometric identity. For something that was adopted so quickly, it was quite surprising to see its rapid decline. But; this was for good reason.
As with any new technology, flaws began to emerge after mass adoption.
What are Biometrics and why do we use them?
Biometric is a word that many consumers know, but very few ever took the time to conceptualize it. Broken down, it’s quite a simple concept:
Bio — from the Greek root bio, meaning ‘life’ and often relating to the study of living organisms
Metrics — denoting the science of measuring as applied to a specific field of study
Modern Biometrics use calculations and algorithms to ‘hash’ specific features of an individual. These features can include fingerprints, face, voice, retina, iris or even DNA data.
Documenting these natural characteristics creates a system where an individual can be identified with a simple scan. Most common uses include criminal investigations, access control and citizenship verification. This system can be quite effective.
Why are Biometrics a good way to identify?
If you ask someone to prove your identity, most people would instinctively reach towards their wallet or purse.
They would scramble through their bundle of receipts, credit cards, and their coupon membership cards finally removing a government issued plastic card.
But these cards prove very little.
In attempts to secure and simplify identity, many governments and private institutions decided to begin cataloging this biometric data.
When an employee arrives for their shift, they simply place their finger on the scanner; they are clocked-in.
When a student needs to buy lunch, they simply use their finger; funds are removed from their account.
When police need to verify an individual’s name, a simple finger scan will suffice.
Although effective in many cases, this is not always a foolproof system.
Why are Biometrics a bad way to identify?
As counter measures are implemented, bad actors as well as “whitehats” attempt to beat these systems.
Sometimes they are quickly successful.
Recently, an anonymous researcher only known by the online handle ‘darkshark’ exposed a flaw in new a new consumer device. The device, a Samsung Galaxy S10, boasts of a security feature which scans the users fingerprint and unlocks the device.
To accomplish this, ‘Darkshark’ simply photographed the fingerprint that a target has left on a wineglass.
Taking that image into photo manipulation and 3D modeling software, the researcher was able to 3D print an accurate model of the photographed fingerprint.
The 3D printed model was then placed over the phone’s ultra-sonic biometric sensor.
It worked; the device unlocks as if it was the authorized users’ finger.
This is one of the main drawbacks of mass biometric identification; they can be faked.
Theft of Biometric Data
But this is an isolated, localized case; fingerprints can’t be compromised on a widescale; right?
In 2015, the US Governments Office of Personal Management announced that a breach had occurred in their system. Not only was the breached data incredibly valuable to international adversaries, it was incredibly costly to the US government.
Some records also include findings from interviews conducted by background investigators and approximately 5.6 million include fingerprints.
This breach exposed the data of nearly 21.5 million current and former US Government employees. Included was fingerprint data from over 5.6 million records.
Fingerprints of dignitaries, contractors and intelligence service members were all part of this data.
Biometric data cannot be reset like a password; this biometric data can never be used with certainty again.
New Generation of Identity Products
We have seen a recent surge in demand for identity products. Data breaches, changing consumer habits and evolving financial products all require new innovation in this sector.
Bridge Protocol is setting new standards for identity management by giving users control of their information.
Instead of storing user data, Bridge Protocol puts users back in control.