Biometrics beat passwords, but cling to an old and risky concept

While biometrics may finally be ready for identity prime time, the technology's reliance on factors that don't constantly change gives it at least one thing in common with the static security methods that are falling out of favor.

It's your unique fingerprint or face, but you're not going to be able to change those — if a hacker happens to get a digital version of it. And therein lies the rub. Hackers can get at them, and it's a fact that the payments and security industry maybe doesn't talk about enough.

It certainly is being considered a significant advancement when biometrics is incorporated on the plastic card itself when compared to the magnetic stripe and signature combination that has been in place for decades.

Krisztian Bocsi/Bloomberg

But there is a danger in getting too enamored with the effectiveness of biometrics, at least in terms of not acknowledging its potential weak points.

"Biometrics is not a silver bullet—the reality is that doesn’t exist," said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "I also find a bunch of entities out there talking about a move to dynamic authenticators and grouping biometrics into that category."

The problem with that is biometrics are not dynamic, Conroy said. "They’re static, just much more complex and harder to compromise at scale than passwords."

Mastercard has forged ahead with plans for biometric authentication for online transactions throughout Europe by 2019, an expected advancement on the company's "selife pay" facial recognition model on smartphones.

At the same time, Visa continues to develop Visa ID Intelligence to help banks and merchants adopt biometric technology with an eye toward Internet of Things innovation, and the card brand's own research indicates consumers are increasingly preferring a biometric option when making payments.

Airlines are also moving toward biometrics to complement current TSA processes. British Airways is testing a facial scanner for boarding in several airports in the U.S. and the U.K.

But the security risks associated with biometric data are very similar to any other personal data in that once the digital data is stored somewhere, it can be hacked, said Michael Fauscette, chief research officer for G2 Crowd.

Chicago-based G2 Crowd provides a user-review platform of business and software services designed to help businesses make buying decisions and develop technology strategies.

"Moving the data from the sensor to the repository for storage is also a risk point and must include data encryption to prevent hijacking," Fauscette said.

The major problem with biometric data and its biggest privacy risk is that, unlike passwords and log-in IDs, a fingerprint or facial print cannot be changed, Fauscette added.

"The process of setting up the system, sometimes called enrollment, can also be a weak point," he said. "If the enrollment process doesn't include positive identification, then the whole system is at risk from the start."

In that scenario, the wrong person's biometric data could be used and associated with a different person. It would create another aspect of stolen identity to go along with the more common fear of a criminal obtaining payment or Social Security credentials.

Mistakes made on a network or failure to encrypt data files is only part of the problem. The hackers are already developing unique methods to make their own dents in the biometrics process.

"We’ve seen well publicized successful attacks on various biometrics, such as using a Gummy Bear to spoof a fingerprint," Aite's Conroy said.

Still, the "reality is that biometrics are much more secure than usernames or passwords, because each biometrics provider has its own hash sequence," Conroy said.

When the biometric is tied to a device print, which is generally the best practice in banking, then "it’s incredibly difficult to defeat at scale," she added.