Biometrics has become pervasive today to protect our data. There are fingerprint scanners like on my MacBook. There is face recognition on my iPhone. Biometric recognition systems also play a prominent role in Multi-Factor Authentication (MFA). MFA is a security control that requires two or more forms of authentication to confirm identity. MFA has long been recognized as a best practice for data security, and federal and state regulators increasingly require it. For example, the movie The Incredibles has Edna Mode scan her hand, enter a personal identification number (PIN), scan her iris, and finally speak into a voice verification system to access her workshop. We interact with biometrics every day.
David Sedaris in Santaland Diaries:
“Near the cash register was a bowl of glass eyes and a sign reading “DO NOT HOLD THESE GLASS EYES UP AGAINST YOUR OWN EYES: THE ROUGH STEM CAN CAUSE INJURY.” I talked to the fellow behind the counter and he said, “It’s the same thing every time. First they hold up the eyes and then they go for the horns. I’m sick of it.” It frightened me that, until I saw the sign, my first impulse was to hold those eyes up to my own. I thought it might be a laugh riot. All of us take pride and pleasure in the fact that we are unique, but I’m afraid that when all is said and done the police are right: it all comes down to fingerprints.”
Is biometrics the elixir for system security that we all have pined for? What could possibly go wrong?
Fingerprints, iris scans, and such appear to be an intrusion into one’s personal privacy. You would like to think that you have control over your personal information. Yet, people are alarmed when they think that a system “knows” more about them than they knowingly or intentionally disclosed or know about themselves.
Think of the occasions when mentioning something within earshot of Amazon’s Alexa or typing into Google search, you start seeing advertisements for the very same item in your social media or ads on news websites.
“Procured” biometric information from one system could be used to steal a person’s identity across multiple systems that rely on the same biometrics, or that biometrics could be used to combine data about a person, de-anonymize it, and share or sell it.
When using biometrics there is the age-old question between balancing convenience and security. There never seems to be a 100% failsafe solution we can put our fingers on.