We All Lose in the Biometrics Arms Race

John Michener has been studying biometric security — how we hack voice, face, or fingerprint tech — for 30 years, and as these systems become more popular, he wants people to know how insecure they can be.

“Biometrics, ideally, are good,” Michener tells Inverse. “In practice not so much.”

Biometric security works well in controlled environments where someone can’t try to trick the system, but problems arise when a hacker has the opportunity to gather biometric info off their mark.

The iPhone scans your fingerprint, the Samsung Galaxy Note 7 scans your eyeballs. You can unlock Windows 10 with your face. Even low-tech phones can let companies adopt biometric security: Barclays announced in August that it’s going to use voice authentication instead of passwords for its telephone banking system after its customers have called in a few times.

But they’re not foolproof, as these examples will show:

You can hack a fingerprint scanner

Hackers have discovered numerous ways to crack fingerprint-based security. Some have been able to gather fingerprints from high-resolution photographs, print them with special ink, and use the resulting printout to trick a fingerprint scanner. A professor at Michigan State University has tried to do something similar by 3D-printing a dead man’s fingers so police could gain access to the deceased’s smartphone.

Anyone who’s been arrested, applied for security clearance, or otherwise had their fingerprints logged could have that information stolen and used against them. Michener explains that dedicated criminals wouldn’t even have to go so high-tech: Many scanners let prints work even if they don’t match, he said, because otherwise they might lock out people with wet, dirty, or scratched fingertips.

Hackers can also work around iris scanners or facial-recognition tools. Remember the movie trope about using a printed image to trick these systems? Turns out that it actually works, both for iris scanners and facial recognition tools. All it takes is a high-resolution photograph and some technical know-how to get past most systems with which the average person is likely to interact on any given day.

Voice recognition software isn’t safe either. Michener said he could “dynamically change one person’s voice to essentially any other person’s voice” in the ‘80s. “Computers are 10,000 times faster now,” he said, which means someone will be able to modify their own voice to sound like their target’s with relative ease.

You can always change a password

Passwords are ideas. They can be stored in password managers, or memorized, but they’re not physical objects. This means they can be inconvenient — who remembers a password from a few years ago? — but it also means they’re harder to compromise when they’re used properly.

The same can’t be said for biometrics. Fingerprints can be gathered from images that anyone can find online, and they can also be picked up from many surfaces. Every time someone throws away a can of soda, opens a door, or simply interacts with the world around them, they’re undermining the security of anything protected with their fingerprint.

Social media has made it so images of people’s faces are easy to find. And that’s just online: Most people don’t cover their faces when they’re in public, and, anywhere in America, you can take a photo of someone else on the street or in any public place.

Voice patterns are trickier to compromise. Many of the social tools for sharing voice — Snapchat, Instagram, iMessage — are ephemeral. But many people also talk in public or over the phone. Both scenarios could allow them to be recorded.

All of these biometric markers can be gathered with ease, and they can’t be changed once they’re compromised, at least not in a way that would allow someone to maintain access to existing systems. It’s far easier to change a password that’s been stolen as part of a website hack than it is to change a fingerprint, voice, or face. This means that biometrics have the one-two punch of being easy for someone to steal and hard to change once they’ve been stolen.

What can people do?

Michener said biometrics are good enough to protect against generalized attacks. The odds of a random person being able to access a phone they found on the street are pretty low. The problem, he said, is that targeted attacks can take advantage of biometric systems with ease. Anyone who’s worried about being specifically targeted — public figures, journalists, people with abusive partners — should avoid biometrics entirely and focus more on password-based systems.

Some companies are trying to improve biometrics to make them more secure. Fingerprint scanners might look beneath the skin to analyze someone’s veins or determine if someone’s using a fake print. Facial recognition gets better all the time. And improvements to call quality might allow voice recognition tools to be more strict about how well someone’s voice has to match previous calls in order to access sensitive data.

Biometrics might be the password-killer everyone wants. The next question is whether the password should be killed in the first place. As hackers continue to expose the bugs and flaws, more and more are likely to consider a pardon.