Biometrics: Swapping Privacy for Sort-of Security

New research is out that predicts that retinal scans, behavioral authentication (i.e., are you acting like you?), fingerprint scanners and other biometrics are poised to make passwords forever obsolete, as we are swept into a Mission Impossible-like world of awesomeness in security. But we at the Slack desk would argue that given the fact that biometrics aren’t quite ready for prime-time, privacy concerns are bound to plague the sector.

BBVA Compass economists say that a wave of capital and new technology centered on biometrics, physiological and behavioral authentication is quickly making the world of PINs and passwords a thing of the past, the firm argues in a new report.

Biometric measures use DNA, fingerprints, eye retinas and irises, voice recognition, facial patterns, vein patterns and hand measurements to authenticate and verify people's identities. The advanced technology has already been quickly adopted by smartphone users—Apple's iPhone uses fingerprint device recognition—and it could soon revolutionize banking, the economists write in the report.

"Biometric authentication is growing at a fast pace and shows great potential to protect individual data and enhance customer experience, particularly in the banking industry," said BBVA Compass chief economist Nathaniel Karp. "Biometrics in banking is most popular in developing economies in Asia, such as India and Indonesia; the Americas rank second."

The report also points out that biometrics offer plenty of benefits beyond strengthening proof-of-identity and enhancing fraud detection.

"As biometrically-enabled devices become standard, critical industries such as banking will be able to offer better customer experience, faster processing times, lower costs and facilitate a multi-channel environment across industries in a seamless fashion," said Karp.

But will users really embrace this? BBVA—surprise!—is quite bullish. It said that the global biometrics technology market in the financial sector alone could reach into the billions by 2020. The. Billions.

This includes biometric sensors, biometric app downloads, direct purchase and software development fees and authentications fees from biometrically secured payment and non-payment transactions.

The mainstreaming of fingerprint authentication bears this out to a certain extent—Apple’s inclusion of that technology in more recent iPhones is one example of how quickly something can become standard given the right marketing and savvy rollout strategy. But can we really envision a time when a full-body scan that maps out the veins inside your skin  is considered the norm when, say, opening up a new checking account?

It would seem that privacy concerns alone should hamper the market for more advanced biometrics. The question becomes, how much personal biological information do we want to share with our financial institutions, our employers and our service providers? And where does it stop—vein mapping may be okay for some, but how about on-the-spot DNA testing?

“Uncertainty about biometric authentication's ability to guarantee the protection of personal information is common, but a recent survey found that one in five members of generations X and Y would be willing to share their DNA to help secure financial and personal information,” BBVA noted.

So, 20% are willing to let it all hang out, physical info-wise. That’s a far cry from a majority.

Also, whether or not privacy concerns will trump the sheer convenience of biometrics remains to be seen—after all, a world where one doesn’t have to remember rotating, 21-digit mixes of letters, numbers and characters in order to stay safe sounds pretty good. There’s a soma-like effect in that iPhone fingerprint sensor—it’s so….easy.  One wants it to stay that way forever and ever and ever…

But, don’t let complacency get in the way of reality. Fingerprint scanners have been shown to be easily cracked with some wood glue and a water glass, by the way, as Paul Rudd’s character so efficiently demonstrates in Ant-Man. And, other biometrics have been shown to be hackable as well—facial recognition can be easily tricked by animated gifs, for instance. Given where the technology is today, this slacker would argue that at best, biometrics should be a part of a multi-layered authentication approach.

Given where things are for now, would you give up physical information for a stratagem that can’t be considered trusted computing in and of itself?

What’s Hot on Infosecurity Magazine?