Passwords have to be remembered, but fingerprints don’t. Biometric methods are accordingly popular for logging on to devices and applications. devices and applications. But data protection experts warn against the hasty introduction of biometrics. Why is That?
Will passwords soon become obsolete?
In a survey of 500 users by Cisco, it was revealed that fingerprints are a popular replacement for passwords. More than half (55 percent) feel comfortable using a fingerprint to access an online account. Forty percent don’t mind facial recognition. In fact, companies are increasingly replacing password protection with other security methods. This is especially true for the use of biometrics in the form of fingerprints and facial recognition. Smartphones and other mobile end devices have functions for logging in via fingerprint or facial recognition right on board. Accordingly, employees often log on via these devices when they are in the home office or working on the road.
According to a survey conducted by the FIDO Alliance among 1,000 Germans, biometric methods are not only considered convenient, but also the most secure way of verifying identity. Many studies therefore assume that passwords hardly have a future any more; biometrics will replace them. Shouldn’t data protection be pleased about this, given that there are such major problems with sufficiently strong passwords? Yes and no, is the answer.
Passwords can be exchanged, fingerprints cannot
If companies want to use biometric solutions, data protection demands that the risks be carefully examined. There are good reasons for this: Biometric data and its analysis are very suitable as proof of identity. But if biometric data falls into the wrong hands, it can be used for identity theft. If attackers have stolen passwords, they can and must be replaced. With biometric features such as fingerprints or the face, however, one cannot arbitrarily choose new, unique identifiers. You only have one face and a limited number of fingertips.
Biometric data can be misused
In contrast to a password, which as is well known should not be associated with the respective person, i.e. should not contain the name, for example, biometric data does have something to do with the person. A facial expression, for example, can be used not only to identify a person. Other analyses are also possible, as a study by the EU Parliament warns. For example, it could be used to more easily identify human conditions of the person in question, such as anxiety, fatigue or illness, according to the study.
Biometrics requires high security
So anyone who wants to use the convenience of logging in via facial recognition or fingerprint must secure the process particularly well. This is what data protection wants to ensure in order to prevent misuse. For this reason, data protection demands an audit before biometrics are introduced – not to preserve password problems, but to protect the data of the persons concerned. Therefore, even if you use finger scanning and facial recognition privately, remember not to use just any method. If attackers steal your biometric patterns, your private and professional accesses are at risk if they are protected by biometrics.
Do you know the risks of biometrics? Take the test!
Question: Fingerprint recognition is secure because no one can forge a fingerprint. Is this true?
- no, you do not have to forge fingerprints to fake an identity. You can also steal the patterns of fingerprints to misuse them.
- yes, fingerprints are absolutely secure, unlike passwords.
Solution: Answer 1. is correct. Patterns are calculated and stored from users‘ fingerprints in biometric logon procedures. If an attacker succeeds in stealing these calculated patterns, he or she can fool the biometric identity check and take over the person’s identity. Biometric procedures must therefore be secured against attacks.
Question: Biometric data cannot be misused for other purposes. Is this true?
- yes, you use the fingerprints and facial recognition only to verify the identity of a person.
- no, biometric identifiers can reveal more about a person than the identity being checked.
Solution: The answer 2. is correct. For example, one can try to draw conclusions about moods, age or signs of illness from a facial expression by means of analysis. Biometric features are not only a possible password substitute, they are part of the human body and can therefore also say more about the person than a sensibly chosen password, which, as is well known, should not contain any personal information.