Fingerprints and face recognition instead of passwords?

A tap of your finger or a gaze into the camera of your smartphone or tablet are enough to unlock it. That is more convenient and faster than entering a long password. But is it secure?

Methods currently in use

Biometrics is an authentication method that uses biological characteristics such as fingerprint, facial recognition or iris for identification.

  • Fingerprint sensors: This type of biometric identification is used in many areas, e.g., when applying for a new passport or ID card. In mid-range smartphones, most devices are already equipped with a corresponding sensor.
  • Face recognition: Apple calls its method “Face ID”, while Microsoft calls it “Windows Hello”. In both cases, the operating system records the user’s face. If your tablet or smartphone is locked, a look into the front-facing camera is all you need. This works even if you take off your glasses momentarily. 
  • Iris scanning: A function that recognizes the iris of the user’s eye is less common but falls into the same category. 

Is my biometric data secure?

The biometric markers must be stored on the device to enable a comparison between the data received by the sensor or camera and that of the reference pattern. Can attackers have access to the reference patterns on smartphones?

In fact, this cannot be completely ruled out, because the device manufacturers play their cards close to their chest. Therefore, it is entirely possible for your own fingerprint to be copied off your device with a Trojan.

Apple is exemplary in this respect. In the case of Face ID, the references are initially saved to a computational model. The reference itself is stored in an encrypted area in the iPhone. Images are not stored on the device; only the data of the computational model is. 

Biometric security keys are primarily convenient

Biometric patterns for unlocking a device primarily add convenience because they let you log in faster. While our biometric patterns are individual, this does not make them more secure than a password, if only because we always have them with us. 

People leave their fingerprints everywhere, all the time, every day. If a criminal made the effort to pick out a certain victim, it would be easy to steal a glass from a café to get a sample fingerprint. And security researchers have succeeded in tricking the recognition mechanisms of the devices in laboratory conditions using special photos or synthetic imitations of fingerprints. But such attempts at attacks are not suited to the bulk of devices currently in use. 

To lock your smartphone with face recognition or your fingerprint is still more secure than no lock at all. However, biometrics is not more secure than a strong password. 

Further reading