If you want your authentication to be secure:
- Start with something you have.
- Then, use something you know.
- Only then should you provide something you are.
The annual Apple event is possibly one of the most anticipated technology events throughout the world. This year, the company revealed its iPhone X – one of the most advanced phones on the market, but what wasn’t so great about it? The facial recognition technology, and I’m not talking about the work Apple put in to the phone to ensure a printout of your face won’t unlock the phone. Biometrics as a first authentication factor looks cool in movies, but in actuality opens up more vulnerabilities.
As a prior military member, I have tremendous respect for law enforcement personnel. Police usually also undergo a ton of training about conducting lawful searches and seizures. Under the constitution, there are circumstances where we have a reasonable expectation of privacy. And, while law enforcement personnel do have full authority to conduct a lawful search incident to an arrest and have full authority to confiscate your phone, they should get a warrant before searching it. However, in some circumstances, police also get access to evidence or information through unlawful searches and seizures. This could be due to aprocedural error on the part of law enforcement, or due to a myriad of other factors.
For example, law enforcement could conduct the search while you are unconscious or under the influence to such an extent that you wouldn't be able to legally consent to the search. Recently, a nurse became famous for refusing to conduct a search of a person's blood without a warrant because that person was unconscious. If that officer gained the opportunity to unlock a suspect’s phone by pointing it at a person’s face, would he pause to obtain a warrant first? Consumers should not rely on security that could involuntarily waive their rights.
iPhone X facial recognition technology opens the door to security loopholes under duress or other authentication workarounds. Imagine: Someone is mugging you, but instead of taking what is in your wallet, they hold your phone up to your face to access banking apps to do money transfers. If you store any of your banking cards on your phone, this is a concern. Typically, if the user needed to provide something they know, he or she could enter a pre- specified duress code to trigger alarms and call for help.
Credit card transactions are usually easy to report as fraud and cancel them, but with debit card transactions or bank transfers, it’s much more difficult to get your money back. This is one of my biggest concerns for mobile banking, which goes beyond biometrics. Recently, Samsung and Bank of America released an iris scanning login. It’s exciting and new, but how can financial organizations and other companies with millions of customers balance flexibility and convenience with security?
Ultimately, the simplest approach, and my real overall point, is that people should avoid using a method of securing their devices in a way that can be used against them without their consent.
In general, while biometrics make a great additional verification factor, they are terrible when used incorrectly for things like the initial identification stage of the authentication process. For that step, it should always first use something you have, then followed by something (only) you know, then possibly followed by something you are (biometrics).