Diamonds are Forever and So (Unfortunately) Is Biometric Security

They last a lifetime and they never change. Fingerprints, irises and even gaits (as in walking) are immutable, if you discount the use of surgery. That is what makes them such reliable identifiers and the basis of different biometric security systems. From science fiction and spy films, we now have smartphones (iPhones for example) that have integrated fingerprint recognition. Users no longer have to remember or reset those ID/PIN combinations. Yet recently, hackers recently stole a file with 5.6 million fingerprints of US government employees. And of course, unlike ID/PIN combinations, those fingerprints cannot be reset. Now what?

The lure of fingerprint-activated access is strong. iPhones may have led the way, but Android (the Marshmallow version) is hot on its heels making the same security system available for all apps that run on it. The idea is to make life easier for users. Yet if those fingerprints are hacked, the systems they control are exposed. The only possibility is then to change the access control to something else, and to take fingerprints out of the equation. Attempts to move over to iris recognition (ambitious) or gait recognition (even more ambitious) would suffer from the same basic problem. These identifiers cannot be changed, but digital records of them can still be stolen or compromised.

The idea of giving up security for more comfort has a strange echo in Benjamin Franklin’s words of a few hundred years ago, when he declared that someone who sacrifices freedom for security deserves neither. He approached the matter from another angle, but a person who sacrifices security for comfort may deserve neither, either. In the end, good security is based on good processes, and technologies such as biometric recognition, PINs and passwords are simply tools to help those processes work. Those who focus on fingerprints and fingerprint recognition (for instance) as the be-all and end-all of security are missing the point.