instagram envelope_alt facebook twitter search youtube_play whatsapp remove external_link loop2 arrow-down2

Connect: Is biometric authentication as secure as you think it is? Metro investigates the true cost of one-touch unlocking

DON’T you just hate passwords and pin codes? Yes, they’re important, but I can’t stand creating new ones and jumping through hoops to recover them when my brain inevitably fails me. The name of my first school’s road? The fifth letter of my cat’s maiden name? I have no idea. All I want to do is watch The Witcher and order a pizza in peace.

With that in mind, you can imagine my elation when fingerprint and face scanners first came along. Today, I can instantly unlock my devices and authenticate transactions using nothing but my face or digits. It’s convenient, fast and makes me feel like an MI6 agent, and I would quite happily have carried on unperturbed. But then cybersecurity and anti-virus firm Kaspersky set alarm bells ringing at a recent privacy-focused event…

Losing yourself

Your biometric data is unique. You’re the only person in the world with your specific fingerprints, face and eyes, and these physical traits are becoming more intertwined with your digital identity. Scanning a part of your body is faster and easier than using traditional passwords and millions of people around the world do so without a second thought — and that is precisely where the danger lies.

Smart move: Using an electronic card key for access is simple and effective

Passwords get hacked all the time. You’ve probably received more than a few emails from companies over the years notifying you of a data breach and advising you to change your password. It’s annoying, sure, but it only takes a few minutes to create a new one and ensure your account is secure again. Now imagine the same scenario with a hacked fingerprint database. What can you do? Zilch. You’ve only got one set of fingers. You can’t change them or upgrade them. Once they’re exposed there’s absolutely nothing you can do.

It sounds like scaremongering but it’s already happened. Last year, fingerprint, facial recognition, username and password data for more than one million people were found on Suprema’s publicly viewable database, BioStar 2. Their hacked database had been used by banks, defence contractors and even the Metropolitan Police.

While we’ve yet to see any major hacks affect iPhone and Android users, it’s only a matter of time. At a tech conference last year, a Chinese hacking team managed to unlock smartphones by simply taking a picture of people’s fingerprints left on a glass surface. In just 20 minutes, using equipment that cost £100, they were able to unlock audience members’ smartphones. Who knows what other nefarious solutions are in the pipeline?

Fighting back

While this all sounds bleak, there are a few things you can do to protect yourself, starting with changing the way you use tech.

‘The first step is to think about how you’re using biometrics and who is gathering your data,’ says Vladimir Dashchenko, vulnerability research team leader at Kaspersky. ‘There are some situations where you have no choice, like when you’re crossing a border or applying for a visa. But in other cases, like building access, try to choose another solution such as an NFC card instead. Always try and put another layer between the service and yourself.’

Nail it: Using an extra layer of protection is key

In other words, look for security solutions that don’t involve your biometric data. NFC cards are a simple, effective example. They use the same wireless smarts as Oyster and contactless bank cards. A simple tap is all it takes to open office doors and the cards themselves are easily replaceable. If you’re after a smart door lock for your home, consider an NFC version over a biometric one; you can still tap a card or even your phone or smartwatch against it to unlock it without unnecessarily risking the loss of your fingerprints. You can even give people temporary access remotely — handy for package deliveries or emergency cat sitters.

When it comes to unlocking your phone, things become even easier if you’re an Android user. Using Google’s Smart Lock function, your phone can remain always unlocked if it’s connected to a trusted Bluetooth device like your smartwatch or wireless headphones, or when it’s in a safe location, such as your home. Not only does this save you the hassle of unlocking it each time you want to use it but once you’re out of Bluetooth/GPS range, it will automatically lock itself to foil would-be thieves.

Old-fashioned passwords are also worth using instead of your fingerprints, especially if you use a password management app like Dashlane, which lets you easily store all your passwords in one handy place while also automatically logging you into all of your apps without any arduous typing. It’s admittedly not as fancy as scanning your fingerprints but it’s incredibly convenient, with the added bonus of letting you easily change your passwords if they’re somehow hacked. Short of some futuristic, Minority Report-style back-alley surgery, that’s something you’ll never be able to do with your fingertips.

The last ingredient is two-factor authentication, an extra layer of protection used to ensure the security of your online accounts even if someone is trying to access them with your username and password. Once it’s set up, you can only log into supported services such as Gmail, Amazon, Uber and more by inputting a randomly generated code that is displayed on your phone. It’s like someone opening your front door with a set of your keys before discovering a magical second door with a combination lock that changes every 30 seconds, which only you can use.

There’s a well-known saying that states locks only keep out the honest. If a thief wants to break in, they’ll find a way. My advice? All we can do is play things as safe as we can and become less convenient targets. Personally, I’m reverting to passwords and pin numbers.

Ringing the bio changes

It’s these concepts of creating a barrier between your physical and digital identity that paved the way for ‘the ring’, a conceptual piece of jewellery with its own unique built-in fingerprint which you can use to unlock devices instead of your actual fingers.

Designed by Kaspersky in collaboration with jeweller Benjamin Waye, the ring — which won’t be taken beyond prototype stage — is made from 3D-printed silver and set with a ‘biometric stone’ made of thousands of conductive fibres suspended in a rubber compound, complete with its own fingerprint. It combines the convenience of biometric security with the safety of staying anonymous.

Box of secrets: The Ring has its own unique in-built fingerprint

The ring has been designed purely to draw attention to the risks of using our most unique assets in such a carefree way. Says Marco Preuss of Kaspersky: ‘We want to encourage ideas like the ring, rather than simply looking at regular biometric and password solutions.’

Open sesame! Three infamous hacks

Five-finger discount

In 2014, a hacker managed to stun the security world by faking the fingerprints of German defence minister Ursula von der Leyen (pictured), with just a couple of high-resolution photographs. Using a PR photo released by her own office, as well as a photo he sneakily took himself, the hacker, Jan Krissler, managed to reverse engineer the minister’s fingerprints. It’s the sort of thing you’d scoff at in a James Bond movie for being too unrealistic yet it happened more than half a decade ago.

Say cheese

While iPhones use infrared sensors to capture a more accurate 3D model of your face, regular cameras used by other handsets are more easily fooled. This was demonstrated by YouTubers such as Unbox Therapy, who managed to unlock a Samsung Galaxy S10 simply by showing it a video of himself. A 2019 report by a Dutch consumer protection organisation also showed that 42 out of 110 Android devices from across various manufacturers were also fooled by a simple photo.

Windows to the soul

The Samsung Galaxy S8 made its debut sporting fancy iris-scanning tech with which users could unlock their with nothing but their eyes. It wasn’t long, however, before hackers in Germany managed to fool it with a fake eye. Using nothing but a printed shot of someone’s eye and a contact lens, they were able to demonstrate just how quickly and easily the iris scanner could be tricked. Not the easiest and most practical hack, granted, but its simplicity and low-tech requirements raised brows.