There is a misconception among the general public regarding biometrics and their use in securing our private information. The common belief among people is that biometrics, such as Touch ID or Face ID, can be used to eliminate traditional passwords. However, this is far from the truth. As described here, biometrics only serve as a convenience feature for users, or as a second factor of authentication.
We still need passwords
Every software, cloud app or website we use on a daily basis requires the creation of an account. Typically, this means providing a username (or email) and a password. Many services also offer the option to “log in with Google” or “log in with Facebook,” which delegate the authentication to a trusted third-party identity provider using OAuth or OpenID Connect protocols. These identity providers not only require a username and a password, but also usually ask for a second-factor authentication (e.g. one-time passcode via text message or equivalent). In the business world, there are a large number of widely used identity providers such as Okta, Azure, and JumpCloud which use a different protocol (SAML 2.0) to provide single sign-on capabilities. Again, every single one of these providers ultimately requires the use of a username AND password when logging into their systems.
How biometrics work on mobile devices
Let’s take iOS for example. When you activate Touch ID capability, your fingerprint data is stored by Apple within a chipset on the device and is not available in any way to software developers. Software developers who wish to take advantage of Touch ID can simply ask the operating system to prompt you for your fingerprint and wait for a “pass” or “fail.” If it’s a “pass,” some of the data that the developer stored in the keychain can be retrieved (for example an encryption key or a password). This can be used to bypass the app’s password screen and log the user in automatically. Using this process simply provided convenience for the user by not requiring them to type in their password. But, a password was still handed off between the keychain and the app.
Now, what if the password for a particular app was weak (e.g. 123456)? The fact that the biometric was used to pull the password from the keychain and hand it off to the application did nothing to strengthen security. If the app allowed this weak password, then it can be assumed that an attacker on the other side of the world could guess your password and also sign into the same app.
Apps which utilize biometrics for logging in are simply storing your password in the keychain or secure element on the device. Biometric data is never converted directly into a password or key. It can only be used as a “pass” or “fail” operation to retrieve information from the hardware which was previously stored there by the application. Because of this, biometrics are only providing a method of convenience, not added security.
It is well known that hardware manufacturers like Apple and Google will never provide website or app developers with the actual biometric data used to identify users. Doing so would be leaking the user’s private information and exposing biometric data to potential theft or hacking.
Why a password is ultimately always required
The first main reason that passwords are required is that passwords can be changed. If your password to a service becomes leaked by accident, or stolen by an attacker, you can simply reset your password on the target site. However, you can’t reset your fingerprint or your face.
Second, only a strong and unique password is resilient to a brute force attack because it exists only in your brain (or an encrypted password manager).
And finally, for the most secure products, your password data is encrypted. Encryption requires a cipher key to decrypt the stored information. A key can only be derived from a strong password that is typed in exactly the same way every time. An encryption key cannot be derived directly from a fingerprint. This is because operating systems do not provide raw biometric data to developers—doing so would risk leaking your fingerprint to the entire world. And even if the raw biometric data was available to software developers, it would not be in a form that is usable as an encryption key. Decryption either works or it doesn’t—the key can’t be off by even a single 0 or 1. It is well known that biometrics are never exact, and a “pass” or “fail” is an estimation. Decryption can never be performed based on an estimation.
You’re only as strong as your passcode
The fact is that on iOS, the Touch ID and Face ID capabilities can be bypassed by typing in the device passcode. For most people, this is a 4 or 6-digit number. Apple and Android force users to constantly enter this code as a fallback mechanism. Therefore, if your device passcode is leaked, an attacker can log in to your device and establish a new fingerprint or reset your facial ID. This might surprise many users and encourage you to set up a stronger alphanumeric passcode on your device. It’s important to look for a product that allows customers to opt out of using Touch ID and restrict the use of biometrics.
Look for a product that is zero knowledge. This means your information stored within the product is only encrypted and decrypted at the device level—using an encryption key that is derived from your master password.
If a website, app or service simply allows you to login without a password, or if the service is not performing client-side decryption, you should be aware this means your information is stored on their servers, fully in the open. If employees of that company want to view your information, they have full ability to do so. This also means that if the company has a bug in their software, your information could, in theory, be exposed publicly on the internet.
This might not matter to you depending on the type of information stored with the service. But, in the case of confidential files, passwords, and other secret information, it could be devastating. Private and confidential information should be encrypted at the device level, and that can only be accomplished ultimately with an encryption key that is derived from something in your brain that nobody else knows (a password!).
It is extremely difficult to build a zero-knowledge product. This is why most companies don’t do it. The important thing for users and businesses is to understand what information you are storing and what level of comfort you have in the company that is protecting your information.
In regards to biometrics, the main takeaway is that a biometric cannot directly encrypt your information. Therefore, any service which has no password protection and relies completely on a biometric for access cannot be trusted as fully secure.
Biometrics as a second factor of authentication
As a second factor for logging into a device, biometrics can be valuable for most applications, while preserving the highest levels of security. For example, after typing in a password or using your password manager to login to a website or application on your computer, you can be prompted to authenticate with your fingerprint or facial recognition on your mobile device.
This type of workflow would require that the app or website developer has integrated with a mobile application or a third party authentication service which supports biometric devices. To properly associate a biometric authentication as a second factor, there must be an enrollment feature and a backend which securely communicates the second-factor information between the application and the back-end servers.
When using biometrics as a second factor, the most important element in the protection of your information is therefore based on the communication channel between the biometric device and the backend servers. A hacker attempting to break into an account protected by a biometric device will spend their time trying to fool the servers into authenticating the user, rather than trying to break into the fingerprint reader. Therefore the trust you place in your application or software provider is based not only on the fact that they have a biometric authentication, but also the method of implementation.
Biometrics are becoming more mainstream but it’s important for the public to understand the difference between the security they provide versus the convenience gained. Every individual user and organization has a different level of risk aversion. Biometrics cannot provide security on their own merit, and a strong password management strategy is critical in preventing cyber attacks and data theft.
Mobile devices and desktop computers that incorporate biometric authentication are simply providing a convenient way to transfer a password from the physical hardware to the app that you are logging into. Having a weak password, or using the same password for multiple apps and websites, is still exposing yourself to hacking and data theft, even if you use a biometric device. However, as a second factor, biometrics can provide a convenient and valuable security mechanism when implemented securely by the software provider.
CTO, Keeper Security
You might also be interested in: