Security & Privacy: Your Fingerprint isn’t your Password – and neither is your face or iris
Security and Privacy are two vitally important components of any successful society. Today’s connected world, where we carry computers in our pockets and share all our details on social networks, makes them even more so.
So far in this series, we’ve talked about encrypting your Internet traffic using a VPN, how to avoid getting infected by malware, how to physically secure your phone, how to encrypt your communications, and more.
By now most of us know how important passwords are. To recap:
- We shouldn’t be reusing passwords across websites. When one site is compromised, if you’ve used the same password on other sites, your accounts on those sites can be compromised, too.
- We shouldn’t be using short passwords. Passwords less than a dozen characters (some would argue less than 16) are vulnerable to brute-force attacks.
- We shouldn’t be using simple passwords. Passwords should contain a combination of uppercase and lowercase letters, numbers, and symbols.
- We shouldn’t be using passwords that are easy to guess. Names of family members, important dates, names of pets, and similar information shouldn’t be used in passwords.
- We shouldn’t be using passwords that are found in the dictionary. Believe it or not, there aren’t that many words in the dictionary. Running through all of them takes a surprisingly little amount of time when you consider how much computing power modern computers have at their disposal.
- And more…
If all of that sounds complicated, you’re not wrong!
To make things easier for us (and potentially for criminals) we use password managers (like LastPass, KeePassX, and the one which your web browser has built in). The downside to this is that they are only as secure as (1) the password which protects them, and (2) the password which protects the device on which they’re used – your phone, tablet, or even your computer.
In addition to these traditional password managers, you may have your wallet (Apple Pay, Android Pay, or Samsung Pay; Coinbase, Google Wallet, Square, PayPal; and even your banking app) set up on your phone – meaning if you don’t secure your device, you’re putting real money at risk.
To make things easier for us (I think I see a pattern developing here), OEMs have started building ways which we can confirm our identity into the hardware itself. From face recognition, iris scanning, and fingerprint readers, most of them attempt to scan something which should be personally identifiable and at all times within our control (assuming we haven’t had an eye or finger removed).
But identity isn’t a password – and that’s an important distinction.
When I show someone my driver’s license or Tribal ID card, I’m providing proof of who I am. I am not paying a bill. I am not buying a soda. I am not unlocking a door. I am not doing anything more than proving who I am. Somewhere along the line, this analog got confused, and along with it, our security got compromised.
Yes, there are those who will say we’re more secure than we were before. If “before” was when we didn’t use passwords or PINs to secure our devices, you’re probably right. If, however, you had a PIN, password, or even a pattern on your device before, and now unlock it with your finger, face, or iris, I’d argue that you’re now less secure than you were before.
To illustrate the point, imagine you’re coming home from vacation and customs (or some other law enforcement or intelligence agency) wants to “inspect” your device. Hopefully, you took the advice we recommended in an earlier article and turned your device OFF before you found yourself in this situation. (When powered on, most modern devices require you to enter your PIN or password even if you’ve set it up to use a fingerprint, iris, face, or voice.) If you haven’t followed our advice, and you don’t want the agent to access your device without first obtaining a warrant, all they have to do is hold the device up to your face or push your finger against the scanner, and they have access.
Sure, some of you are going to argue that same, tired line: “if you have nothing to hide, you have nothing to fear”. For those of you who continue to support this logical fallacy, replace that government agent with a mugger, someone who has taken you hostage, or any manner of other criminals. Do you still feel safe?
Regardless of whether or not you’re one of the “paranoid” people who doesn’t want others snooping in their personal effects, your fingerprint, iris, face, or voice isn’t your password, and you’d be wise not to treat it as such.