Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations. See how we sustain our work & review products.
Why Biometrics Cannot Replace Passwords

Why Biometrics Cannot Replace Passwords

By István F.István F. Verified by Adam B.Adam B. Last updated: July 17, 2024 (0)
Table of contents

Just as the tech industry is turning its attention from passwords to biometric identification, so are hackers. It may come as a surprise – or maybe not – that with the abundance of photos we share about ourselves on various platforms, hackers don’t need some sci-fi technology to hack our body or steal our physical characteristics in order to fool biometric identification systems. They can do it without even having physical contact with us.

Hacking touch ID

Take Touch ID, for example, which was introduced by Apple with the iPhone 5s. To those who may be unaware, Touch ID is a fingerprint recognition system that has been added to iPhones, iPads, and more recently to MacBook Pros with Touch Bar. The white-hat hackers of Germany-based Chaos Computer Club were able to find a workaround shortly after the device hit the shelves.

What raises a red flag is that they were able to hack Touch ID simply by photographing the fingerprint of the phone owner. The aim of the experiment was to demonstrate that fingerprint biometrics are not suitable for controlling access to personal devices and should be avoided.

60% off RoboForm for Best Reviews readers
RoboForm logo
Commit to RoboForm using Best Reviews' exclusive discount and enjoy a discount of 60% off the regular price.
/goto/roboform/ Click to show code

Hacking an iris scanner

While photographing a fingerprint may require some skills not all hackers have access to, a new biometric solution, iris scanning, has made things easier for them. Especially when considering that social media platforms are flooded with high-resolution images showing users’ faces.

In another experiment initiated by the same CCC, security researcher Jan “Starbug” Krissler has found that an attack can be carried out against some iris-scanning kits by simply making use of images found in Google searches. The only condition pictures need to meet is that they are vivid and a high enough resolution. That means it’s possible for hackers to simply print copies of the target’s eyes and bypass biometric authentication.

Starbug first showed off a clone of the thumbprint of Ursula von der Leyen, Germany’s defense minister. That was in December 2014, but a few years later he showed that it was possible to do the same with eyes simply by doing a Google search. If the image was clear, vivid and in high-resolution, bypassing the biometric authentication was possible.

Faces Google Search

That’s how he was able to print out high-resolution pics of the eyes of high-profile politicians such as Vladimir Putin, David Cameron and Hilary Clinton. He wasn’t able to use these printouts, though, because he didn’t have access to the devices these people were using.

What raises concern is that while fingerprint hacking required a proper clone, which took time, the iris scan hack required only a high-resolution print. Considering that some high-tier Android handsets feature an iris scanner – such as the Samsung Galaxy S8 launched in early 2017 – unlocking that device using biometrics would be as easy as showing a picture, as demonstrated by the CCC. But the video demonstrates that the iris-scanning technology used in this particular device is far from providing a high-level of security.

Face ID

Apple has introduced Face ID with the iPhone X – claiming facial recognition is more secure than fingerprint identification – and has tilted interest in the industry towards this direction. The biometric authentication uses a TrueDepth camera system with advanced technologies to accurately map the geometry of the user’s face, projecting and analyzing more than 30,000 invisible dots to create a 3D map of the face.

Face ID Dot Projector Face Map

As of writing this article the iPhone X has yet to be released, so we can’t comment on the actual level of security of this system. What we know, however, as users of biometric authentication, is that it will bring convenience to our digital lives.

Why biometrics can’t replace passwords

Still, there is an issue that all users need to be reminded of, and Starbug’s experiments highlight once again that you can’t hide your body’s physical characteristics: your face, your eyes, your fingerprints. Passwords, on the other hand, can be hidden and encrypted. Relying on biometrics as the only authentication method is like being off-guard all the time. Enable two-factor authentication and use strong passwords combined with a good password manager to ensure you have access to all your passwords in an instant.


Best password managers of 2024

Editor's choice
RoboForm logo
Editor's rating:
(4.5)
Effective security center
Passkey compatibility
Intuitive and organized interface
Affordable prices
Families
LastPass logo
Editor's rating:
(4)
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses
1Password logo
Editor's rating:
(4.5)
End-to-end encryption
Secure authentication method
Data breach alarms
One-time password support
Security features
Keeper logo
Editor's rating:
(4.5)
Robust security
Wide range of platform support
Affordable
Great customer support
Personal use
NordPass Personal logo
Editor's rating:
(4.5)
Strong security features
Effective password generator
Excellent free version
Attractive price
Password sharing
Dashlane logo
Editor's rating:
(4)
Password changer
Built-in VPN
Flawless data import
Thorough iOS/Android app
Local storage
Enpass logo
Editor's rating:
(4)
Packed with features
Free for desktop users
Offline password manager
End-to-end encryption
User Feedback

 Leave a reply

Your email address will not be published. Required fields are marked *


Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2024 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us