Again and again the same myths and misunderstandings resurface from time to time. I noticed again a misplaced hype in an article shared on twitter about how biometric authentication will simplify banking.
I have to share again something I learned many years ago when I was junior research student in a computer security group and confirmed in my 14+ years in banking industry.
Biometric authentication is useless and dangerous alone.
As a second security factor maybe is useful but alone , biometrics is weaker that a 8 character password.
REASON 1: All your biometrics are available to others.
In this age of technology is very easy to get high resolution retina scans of anybody. Have you made a trip to an optician lately ? They check your eye with a high resolution camera. Who guarantees me that that image I can see on a screen is not recorded ? It is trivial to get a perfect retina scan of someone.
Finger prints are even easier to obtain and then simulate even the temperature of a finger. There are countless experiments done by security researchers on how to defeat the famous finger print scanners of our beloved smart-phones.
Heart rate monitors that are so common now in sport watches and smart-watches can record with high accuracy any specific patters. Even this small nice of biometrics based on hearth rate signature can be defeated easily by someone that is able to hack your watch, or the cloud that stores that info.
REASON 2: Safety concerns
If someone intercepts your card PIN or your internet banking password the worst that can happen to you is to lose all your money. If a criminal needs your biometrics to get that money you will lose even more.
There is a nice and very graphic example in the “ancient” movie “Demolition Man” from 1993 where the evil guy “Simon” finds a very practical way to defeat the prison’s doors based on retina scanning locks. Do you want to be that guard ? I think in 1993 there was the same biometrics hype and a genius screen writer was making fun of that.