As with any data, biometric information is only as secure as the system that protects it. There is nothing inherent in raw biometric data that makes it more secure. However, if it is stolen, it can be very difficult to use.
Biometric data can be stored on servers, an end-user’s device, or through a distributed-data model — storing part on the device and part on servers.
- Centralizing storage on a server creates a target for hackers who need only break into one place to get many peoples’ information. This happened in 2015 when 5.6 million sets of fingerprints were among the personal data taken in a breach at the United States Office of Personnel Management (OPM).
- This isn’t a problem if the data is kept on the end-user’s device. Unless hackers are looking for information on a particular person, an individual device is of far less interest to them because it requires a tremendous amount of effort for a very small return.
- The most secure method is the distributed data model. Using visual cryptography, biometric data is broken up into files of code upon enrollment. Some of that data is stored on the user’s device and some on servers. To prove identity the data on the device is checked to see if it matches up with the data stored on the network. This is the digital version of two people who don’t know each other using halves of a torn document to prove who they are.
It is difficult to use biometric data to spoof a system. It can be done, but not easily. There are facial and iris recognition devices which have been fooled by photographs. And in 2016, researchers at Vkansee, a mobile-security firm, unlocked an iPhone with fingerprints collected with Play-Doh. To counter that, biometric systems are using sophisticated methods to detect “liveness.” For example, there are fingerprint scanners that can now detect a pulse, and facial-recognition software which can measure depth of field. There are also methods for detecting blood-flow underneath skin. No doubt there will need to be more improvements as more ways of spoofing are discovered but this does show how difficult it is becoming.
However, these methods work on an individual and not wholesale level. This underlines another strength of biometric security. While there are instances of large amounts of biometric data being stolen, as in the OPM case, there aren’t any known cases of that data being used on a large scale. Compare this with the number of frauds committed using data stolen from password protected systems.
There would have to be a strong payoff to make it worthwhile for a hacker to go to all the trouble of getting a person’s biometrics, making models, and then getting access to the device itself. Unless that person is a high-profile or net-worth individual or has access to incredibly valuable information, the return on investment of time and money isn’t great enough for a criminal to bother with. This strongly suggests that, for the average person, using biometrics like a fingerprint to secure a smartphone or personal computer is likely all the security they need.
No security system is entirely spoof-proof, including biometric ones. However, the difficulty in acquiring and using biometric data can make it so hard and time-consuming to break into that hackers will decide it’s not worth all the effort it takes.