Are biometrics really the way for 2FA?

I have some concerns around the use of biometrics for online authentication. I know I’m not the only one, and my thoughts are probably not original, but I’m going to need some convincing before I start to see biometrics as the most secure, futureproof way of moving forward.

There are some frequently cited concerns around biometrics, mainly around if your data is leaked, how you can’t use your face or fingerprint for authentication any more, and how it’s not possible to change your face like a password. Both have potential for concern, but I don’t believe they are as straight forward as one might imagine.

Mobile based biometric sensors like your phone camera or fingerprint scanner are getting better, and though they can be physically beaten with sophisticated techniques involving infrared lights or 3D printing, that takes a long time and some investment. Not very economical for a hacker, and fairly unlikely it’s going to happen to a commoner, such as myself. So, my concern doesn’t lie here.

In late 2015, the fingerprints of 5.6 million federal employees were stolen in a hack against the US government. Does this mean those fingers are out of action? For this particular attack, if the hackers manage to decrypt the data, and then reverse engineer the strings into fingerprints, they might be able to identity one of these individuals by a fingerprint left behind on a glass, but I think it’d be a long shot. Again, for someone like myself, this isn’t what concerns me.

The digital code that makes up the fingerprint for that department will also be different to the code in the next system that uses fingerprints. So, as far as I can gather, they’re not transferable in a digital sense. If our banks started using fingerprints for authentication, the fingerprints leaked by another system wouldn’t necessarily be usable in the bank’s setup. And if we’re really talking realistic, with biometrics used for 2FA, the templates should never leave the device that’s scanning them. So, if I use my phone for 2FA and it scans my fingerprint, the comparison template is on the phone, and what’s sent to the server is my signature, not my fingerprint.

There is always research ongoing in this space, both to crack it and harden it. Using “distorted lenses” that mask the individual’s fingerprint, like hashing a password, means that when the user scans themselves, it’s not actually their fingerprint that is seen; it’s a distorted image of it. In the event a user’s fingerprint is leaked from their device, it will actually be just a jumbled image of it, and simply replacing the “lens” to distort the image in a different way, will be the solution. Simples.

So, if leaked fingerprints and sophisticated technology hacks aren’t my concern, why am I still not comfortable with biometrics for my most secure services, like banking? It goes back to the comparison to a template. With PKI used in 2FA, you have a private key that’s kept on your device. To stop people stealing your phone and using your private key, the key is encrypted. My problem with biometrics, is that what’s encrypting your private key, has a copy held on your phone.

So, everything a hacker needs to act on your behalf is on the one device, and though the security is good on a mobile phone, it’s not great. But, with a PIN code required to decrypt your private key, a PIN that is only verified online on a server, someone with your phone will not be able to decrypt your private key and pretend to be you in the event they have your phone.

As long as biometrics require comparison to a template on the same device, I see this as a weakness; a security notch below the tried and trusted PIN code. I think biometrics for use in the airport, border security, and other trusted environments that are using trusted hardware, is a great way to work. It’s an added layer of security, it creates the opportunity for frictionless movement, and more. But when it comes to 2FA on a mobile phone, I remain unconvinced.