Government of India is aggressively coming up with usage of Aadhaar card, but while we move towards digitalization are we educated about the risk. Similarly, for being advertised about advantage of the digital payment gateway we should be informed about the risk associated with this method.
Not many of us are aware of the risk on usage of biometric password for authentication. But before, we go on the risk let us first know how does biometric authentication works.
The authentication process can be broken down into 3 parts:
a) Recording of biometric data: When user registers himself in the application by providing the biometric details, the data is stored in the form of a hash value in the database directory.
b) Authentication of user: When a user tries to authenticate the transaction, it generates the hash value of the user and compares with the stored harsh value in database.
c) Transaction: After matching the harsh value the application authenticates the user and performs the transaction.
Let us know look at the risks associated with the biometric authentication
1) Biometric password can be compromised:
First, biometrics will be easier to hack than passwords. Not only are they subject to all of the current attacks that work when hacking passwords, but biometric data were never designed to be secret. Most people make sure not to divulge their passwords, but it's difficult to imagine the world where everyone wears gloves constantly to avoid leaving fingerprints.
Attackers have already figured out how to bypass many of today's biometric solutions. Jan Krissler, a famous hacker, used high-resolution photos of Ursula von der Leyen, Germany's Minister of Defense, to beat fingerprint authentication technology. In a more famous stunt, Krissler also beat Apple's TouchID technology just a day after its release by creating a copy of a fingerprint smudge left on an iPhone screen and using it to hack into the phone.
2) Biometric password cannot be changed:
Biometric data that has been stolen cannot be changed, you cannot replace your stolen fingerprints with a new set, nor can you replace a finger you might lose in an accident. Biometrics cannot be tossed away and replaced like a password or a credit card number. Rather, it is permanently associated with a user.
3) One password across different domains:
Biometric password are same across all domains where you have registered for authentication. This means if your password is compromised in any one domain it is compromised everywhere across all domains. Places, where you're biometric, are registered with lower security features are Gym, office attendance application, Mobile phone, Laptop etc. If your mobile phone is lost which has such features of authentication your biometric password are compromised.
4) You can't share your biometric password:
Biometrics authentication has other major limitations it cannot be shared. Sharing login data is something more and more internet users do, whether for business or in their personal lives. Especially during an emergency scenario, we share our credit card or account details with our relatives and friends while in biometric it won't be possible.
Further to conclude the biometric password should be used with any additional layer of security like OTP, strong password and security questions.
I have highlighted the key risks, as I believe that educating the end user is the best way to eliminate the biggest risk. And as they say, most of the times lack of awareness is the root cause towards of any cyber fraud. In the end, we should move towards biometric password but not in isolation but with the conjunction of an additional layer of security like one-time password, strong passwords and security question.
The author can also be reached at avinash_sunchu@hotmail.com.
CAclubindia
