Biometric security encompasses all the technologies that secure valuable things by measuring our bodies' unique or rare properties. People often think of biometric security as being superior to passwords or passcodes, but the reality is a little more complicated.
Before you decide when and where to use biometrics, read on for a good overall understanding of its limitations, applications, and risks.
We human beings have plenty of physiological features that vary from one individual to another. While it's possible for two people to (for example) have the same fingerprints, the odds of this being the case are so remote it might as well be impossible.
Biometric security systems store a digitized pattern based on fingerprints, retina patterns, and facial features. These are currently the three most common biometric patterns in use - at least when it comes to commercial products.
Of course, there are more than just these three: voice patterns are another, less common form of biometric. There's even something known as "keystroke biometrics" that creates a pattern from your unique typing style. Engineers and scientists are always discovering new ways to use unique physical attributes for biometric security, so be prepared for some pretty interesting future developments.
Related: Biometric Credit Cards Using Fingerprint Scanning Are Being Tested in Scotland
If you have a passcode with four digits, there's a one in ten thousand chance of randomly guessing the correct key. A six-digit code bumps that up to one in a million! So they're pretty secure for the most part if you limit the number of guesses. A fingerprint that's analyzed to high levels of detail offers a huge leap over those numbers. It's effectively unique for each person, and there are billions of us. So the chances of brute force cracking of biometrics seem low.
Unfortunately, it's not that simple. For one thing, most mainstream biometric systems don't capture your biometric information in a particularly high level of detail. This can be down to limitations in affordable sensors, speed of processing, or the hardware needed to crunch full biometric detail. When you only look at a small part of a fingerprint or a lower-resolution image of it, you drastically lower the odds of a brute-force replication. Still, don't let that worry you too much, since the odds are still pretty much in the realm of impossibility.
The brute-force toughness of biometrics isn't really the real issue, however. There are many more serious security risks that you should know about.
When you have a passcode that secures your phone, computer, or encrypted files, you can keep it secret pretty easily. Memorize it, don't write it down anywhere, and never tell anyone about it. Until we invent a machine that can read minds, that's pretty secure.
However, your fingerprints, retinal patterns, and facial features are right out there in the open. That causes all sorts of problems. An obvious one is that someone can simply point a camera at your face or force your finger into a sensor to unlock your property. From that point of view, biometrics can even be a safety issue, since it creates an incentive to accost you personally in order to use them.
Even when you aren't present, there are still ways your biometrics can be compromised. We've seen hackers pull fingerprints from surfaces and then replicate them well enough to fool current sensors.
The biggest problem is the possibility that your digital signature will be compromised. When the digital signature biometric systems use to compare your biometric data is hacked, you're left quite in a pickle. Passcodes can be changed when compromised, but you can't change your biometrics!
The fact that biometrics are based on our bodies' unchanging aspect doesn't bode well for the future. The only real hope is for typical biometric scanners to increase their fidelity. There's a massive amount of detail in our unique biometric aspects, which makes it harder to fool these systems. That suggests there will be a sort of arms race between hackers faking biometric data and engineers increasing the amount and accuracy of data that biometric systems capture.
There will likely be a point of diminishing returns, but no one knows whether it will be the hackers or the security providers who'll hit the wall first. Either way, biometrics, as we know them, are probably not going to be a long-term solution.
Apart from developing more powerful biometric systems that can capture more detail and better resist spoofing of data, there's more that can be layered into these systems to make them less risky and more useful. Combining multiple biometrics types is a simple way to increase security since the more types of biometrics are used, the less likely it is that security will be broken.
There's also the possibility of new types of biometrics. Perhaps something as far out as a brainwave scanner or rapid DNA testing using technology that doesn't exist yet. Artificial intelligence may also offer a solution to biometric fraud. For example, it can tell the difference between a real face and a deepfake.
Biometrics also needs to be sensitive to other factors, such as identifying if the finger being pressed to the sensor belongs to a person who is still alive. That might seem macabre, but there are recorded instances of law enforcement placing a deceased person's finger on their phone sensor to unlock it.
So we expect that future biometrics that measures multiple types of physical properties at high quality with machine intelligence in order to detect fraud to become the norm. Anything less, and it's likely to be compromised far too often to be truly secure.
This is a lot of information, but how does it apply to you? The fact of the matter is that biometric security that you use to unlock your phone is more about convenience than it is about security. Systems such as Apple's FaceID are so fast you might even forget your phone has a lock.
Until someone else picks it up, it's also more than secure enough to keep the average person (or criminal) out of your data, but it's not good enough to trust with truly sensitive data.
So, if possible, only use 6-digit passcodes with limited guesses as a minimum standard for security. If you must use biometric security, learn how the biometric kill switch for your specific device works. For example, if you ask Siri, "Whose phone is this?" biometrics are disabled until the phone is unlocked again. Many devices that use biometrics offer a way to deactivate them quickly, so make sure you know how to do it.