When unlocking your smartphone or logging into your bank account, you may be asked to provide something in addition to or instead of a password: your fingerprint. The idea behind this kind of authentication is that your fingerprint is something unique to only you.
Biometrics are not 100% foolproof -- in terms of accuracy and security. It's still a relatively new technology, but getting more accurate with time as new software is developed. Biometrics are processes used to authenticate an individual's identity by using a physical characteristic, such as fingerprints, facial recognition, or iris scanning. It can also use behavioral characteristics, such as voice recognition or heart rate. Additionally, biometrics don't change, therefore they cannot be forgotten like a password.
The increasing use of biometrics pose a privacy problem for civil rights proponents, however this post does not intend to cover the ethics or privacy concerns regarding biometrics. While many experts say biometrics are secure, it is important to point out that biometrics are inherently public. Biometrics go where you go. That means anyone could technically have access to a fingerprint you left on a glass in a restaurant, or the shape of your face in your Facebook profile picture. The FBI has been building a biometrics database, which is not limited to fingerprints. The database includes facial recognition, photos of scars, tattoos, etc., and iris image recognition. The more information the FBI and other law enforcement agencies collect, the less private your biometrics become, which in turn can cause the information collected can become at risk of being leaked. Unlike a password, biometrics can't be reset.
According to The Atlantic:
In 2014, hackers working for the Chinese government broke into computer systems at the Office of Personnel Management and made off with sensitive personal data about more than 22 million Americans—data that included the fingerprints of 5.6 million people.
That data doesn’t appear to have surfaced on the black market yet, but if it’s ever sold or leaked, it could easily be used against the victims. Last year, a pair of researchers at Michigan State University used an inkjet printer and special paper to convert high-quality fingerprint scans into fake, 3-D fingerprints that fooled smartphone fingerprint readers—all with equipment that cost less than $500.
In the absence of a state-sponsored cyberattack, there are other ways to glean someone’s fingerprint. Researchers at Tokyo’s National Institute of Informatics were able to reconstruct a fingerprint based off of a photo of a person flashing a peace sign taken from nine feet away. “Once you share them on social media, then they’re gone,” Isao Echizen told the Financial Times.
Face-shape data is susceptible to hacking, too. A study at Georgetown University found that images of a full 50 percent of Americans are in at least one police facial-recognition database, whether it’s their drivers’ license photo or a mugshot. But a hacker wouldn’t necessarily need to break into one of those databases to harvest pictures of faces—photos can be downloaded from Facebook or Google Images, or even captured on the street.
Furthermore, questions surrounding the accuracy of facial recognition in particular has grown. A study by MIT and Stanford University researches have shown that three facial recognition programs made errors on any subject that wasn't both white and male. Darker skinned female subjects had error rates between 20 and 35 percent.
So what can you to keep your biometrics data safe? Try to use it in as few places as possible. Don't use it as a replacement for passwords--it should be used as an additional security feature. Make sure your passwords are strong and complex, your software is up-to-date, and you have antivirus installed and enabled.