Biometric Security
The Basics:
Reasonable people will disagree with us on this and that is ok, we argued internally about the stance that we should take and finally agreed on caveated endorsement. For normal people who don’t regularly access sensitive or confidential data then biometric security is an excellent strategy to guard against script kiddies and device thieves. This is because, as of this posting, biometric security is hard to fool. That is because the scanners are no longer simply trying to match the pattern of your fingerprints or irises, they check for body heat and blood flow to confirm that the human trying to access the device is alive.
Why this endorsement is conditional is due to the unlikely, but possible, circumstance in which a determined hacker wants to beat your biometric security. For those with the right motivation and resources lifting a fingerprint and using it to unlock your device is child’s play. That’s not to say that you should never use biometric security if you access sensitive information, but if you do we will insist that you use a defense in depth strategy. Such as locking your most important data on your device behind a separate password so that it cannot be accessed by your stolen fingerprint or retina.
Another drawback to biometric security that should be considered more is the finality of getting your biometrics stolen. Which is that if your biometric data gets stolen or leaked you cannot change it after the fact. When your password gets leaked in a data breach, which happens to all of us no matter how cybersecurity conscious you are, then you can simply change your password for that site and never use the leaked one again. You can’t do that with biometric security, if your FaceID gets compromised you cannot replace your face. At best if your thumbprint is compromised you then likely have 9 other fingers to chose from, and probably 10 toes too if you decide to get weird with it.
Our Recommendation:
Use biometrics, but be smart about it. Utilize a defense in depth strategy that layers your biometrics with passwords and hardware keys. Never assume that because a password or device is unique to you that it cannot be stolen and used against, and above all stay paranoid.
