Biometric Authentication vs Passwords: Why Passwords Protect Your Privacy Better
In this article, a leading security expert discusses the pros and cons of biometric authentication compared to passwords.
There’s been a lot of talk around passwords getting replaced by biometric authentication. While you might think that biometrics are as private as it gets, the latest research by NordPass suggests that this is not exactly the case. As it turns out, the government can obtain your biometric data without your agreement. In comparison, they can’t have your password if you haven’t agreed to it.
The Increasing Trend of Banning Facial Recognition
In September, Portland passed the broadest facial recognition ban in the US. The use of this technology was banned for city departments, including local police, as well as public businesses, such as stores, restaurants, and hotels.
Portland joined the growing number of US places that have outlawed the use of surveillance technology, including San Francisco, Oakland, and Boston.
NordPass’ legal team has looked into the laws of several countries and discovered that, in the US, a person is entitled to refuse to give up their passcode to the police. This is based on the Fifth Amendment, which states that each person has the right against self-incrimination.
Even if the police have a warrant, they can’t compel the person to reveal their password. By giving up the passcode, the person would be actively acting as a witness against themselves, which is inconsistent with the Fifth Amendment.
Things are different when it comes to biometric data. While passcodes are considered as a testimonial, biometrics exist objectively and are comparable to giving a DNA or blood sample. So, if the police have a warrant, they can use a person’s biological data to unlock their phone.
Outside the US, there is no international consensus on what each security measure protects people from. Canada and Norway have a similar stance to that of the US — a person can be compelled to perform biometric authentication but can’t be forced to tell their passcode.
In the UK and Australia, however, it doesn’t matter whether you use biometric authentication or a passcode, as the authorities can force you to give out both. Failure to comply can lead to prison time. In 2018, a murder suspect was sentences to 14 months in jail for not providing his Facebook password.
Can Biometrics Be Cracked?
In most cases, biometrics — fingerprints, face, iris, voice, heartbeat, etc. — are safer than passwords, as they’re a lot more challenging to crack than alphanumeric codes. However, they are not infallible. For example, Face ID has been bypassed using a 3D-printed mask. And back in 2014, a hacker recreated a fingerprint of Ursula von der Leyen, the current president of the European Commission, using pictures taken with a standard photo camera.
If a password gets compromised, the user can simply change it. Biometrics, on the other hand, are inherent biological data that can’t be changed. And if hackers can crack biometric passwords from publicly available photos using commercially available tech, the implications of this are scary.
“This is not to say that people should stop using biometric authentication altogether. Currently, there aren’t that many instances where your biometrics can be misused. However, as it gains popularity, the ramifications of biological data theft get more alarming. For now, it’s better to think about it as a tool of convenience rather than a security measure. It’s a good idea to set up 2FA and use both passwords and biometrics,” says Chad Hammond, security expert at NordPass.