Biometrics are one of the most commonly discussed security trend right now – due to its dramatic penetration to daily lives, in such short amount of time. From iPhones to fingerprint API of Android Marshmallows, office entrances to stadiums, biometrics – all the more so fingerprint identification – has practically been using in any industry now.
On the other hand, as the biometrics technology goes mainstream each day on, privacy concerns regarding biometrics has been raising correlatively. A datum, in that case a fingerprint which is previously seen “very confidential” gets spread to everywhere. Although the extent to which the biometrics are offering much more solid security and life easing concept than any other – a bigger problem materialises at this point. People could not help but wonder about the fact that there is a big elephant in the room. And that is;
“There is no ‘reset my password’ here. What if my fingerprint gets stolen?”
It’s vital to understand the basic process of biometrics and in very particular – fingerprints here; how they are enrolled, stored and used? What differences do they have as they’re being taken for passports and for your iPhone’s? In civil and legal applications? Let’s look under the hood a bit now.
The Power of Non-Ubiquitous Templates
Most common fear is that once a fingerprint is given, they could be used in absolutely anywhere. Yes, a generic scanner does store a decent amount of data but the attributions of the data, in that case fingerprint, fairly differs; which makes almost impossible to be used in wide-range of platforms, even if those platforms are subjected to be governmental ones.
Unlike common understanding, fingerprint scanners do not literally “scan” the finger, so that they do not store the digitalised image of a fingerprint. In lieu, they scan the distinct characteristics of the fingerprint (minutiae) and reflects them into mathematical representations which are called “templates”. However, manufacturers in biometrics industry are in tendency to use different templates from each other, so that they are able to use these templates for coding with their own algorithms afterwards. If a hacker manages to actually leak into a law enforcement agency’s fingerprint repository, or somehow (world’s hardest somehow will be explained in-depth, in another post) manages to steal it as it’s being taken or right after it’s been taken, here comes the magic – Obtaining a particular template does not allow to possibly form the actual and entire digital fingerprint copy. Articulating that, a hacker who comes through all the difficulties and obtains a finger template does not mean that he will be able to abuse that template in multiple platforms for both technical and practical reasons.
Another thing is, a print given for passports or any legal applications, would be constituted of binaries (digits) as it is a legal security application. However, your iPhone only needs to check the photographic image of your fingerprint, and does not recognize minutiae-based templates, vice versa. Whereas in traditional security, in case a password or PIN is cracked, it is likely to be used in several platforms easily; from e-mails to banking app to even Instagram. In other words; letters, numbers and even their strongest combinations are ubiquitous, which consequence their users being vulnerable to cyber-attacks.
We Are Not There Yet
Recapping the last decade in our lives – the speed of the technological applications went beyond the expectations. What we write about biometrics’ privacy is limited to the applications and practices in the actual fields only for today. In a futuristic scenario, if a single fingerprint used for using public transportation, buying clothes, running your car, ordering food online and etc, it would open the way of possibilities for spoofing into several online accounts, asking for particular fingerprint to confirm that it’s you. But even if, biometrics has unique way to store the data and use it in different platforms, which cannot be compared to traditional passwords. And as the title suggests: We are not there yet.
Digitalising and integrating our daily lives to number of platforms, have necessitated a further security approach besides passwords and thousands of people each day learn the fact from the hard way; unfortunately by being hacked or frauded. We happened to walk into an era where PIN’s or strong passwords are not adequate for a “normal” person anymore, in fact they are the weakest links.
Today, biometrics are the leading technology offering the ultimate security in lots of industry. However, due to lack of information and misconceptions, they can be regarded as “dangerous to share”. In increasingly digitalised world, every person need to put their prejudices and learn about what they’re unsure of. Especially for the sake of things that allow their life to be much simple, secured and improved. Biometrics, for sure, is one of them and has incredible preventive security potentials in today’s high-tech world.