Second opinion: Tired of memorizing so many passwords? Too bad: the alternatives are not even better

To live a secure digital life, we rely on passwords — an average of 100 per nobody. Fernando Corbató said it was a “kind of nightmare.” The end The MIT professor would know; he was credited with inventing the password.

A collection of global business leaders calling themselves the FIDO Alliance, so named for “Fast IDentity Online”, wants to abandon this standard. Members of the Google, Apple and Microsoft Alliance doubled this month on their engagement to a world without passwords, suggesting users switch to “a simple fingerprint or face verification” – or biometrics.

Biometrics is a measure of unique physical characteristics, including iris scans and voice patterns, that can identify individuals. Logging in through facial or fingerprint recognition saves us from remembering another password and can reduce the risk of hacking and phishing – when online attackers trick users into handing over their passwords. These cybercrimes can cost Americans millions and spread their login credentials widely.

Is biometrics the answer? Many companies and government agencies think so. These systems are not yet mandatory; Google, Apple and Microsoft’s passwordless approach also includes using device PINs – like the code you can enter to unlock your iPhone – as an alternative to a password, alongside verifying passwords. fingerprints and face. But we are already seeing a disturbing shift towards biometrics becoming the norm.

Microsoft’s Windows Hello biometrics program uses FIDO authentication technology to allow users to log into devices with a fingerprint, iris scan or facial recognition. It had nearly 300 million monthly users by the end of 2020. In 2018, Delta Airlines launched the nation’s first biometric terminal in Atlanta, in cooperation with US Customs and Border Protection and the Transportation Security Administration. Passengers who opt for biometrics pre-register their photo credentials and have their facial features read so they don’t have to show ID at multiple TSA checkpoints. Major airports in Atlanta and beyond are partnering with release, a private sector service, to provide this capability. Many Major League Baseball teams use Clear’s biometric technology in their stadiums so that spectators can easily pass through security checkpoints.

A large part of the public purchases biometric security sales pitch, with nearly two-thirds of Americans reporting in a 2020 survey that they believe facial recognition software makes us safer.

But optimistic dreams of a passwordless future minimize the weaknesses of biometrics.

Yes, biometrics is more reliable for verifying user identities than less technological options such as passwords, PIN or answers to personal questions, which often require password remembering or tracking tools. Biometrics is more difficult to copy than this type of authentication. They also usually, however not always, require the physical presence of a person to authenticate. According to the FIDO protocol, biometric data is supposed to be stored only on a particular device, like your phone, and not on a server.

With the FIDO system, you can use a biometric or master PIN code to log in via software to individual websites, for example for online shopping, as long as these sites support FIDO technology. FIDO’s long-term vision is to create a centralized credential manager that can sync across different sites and platforms, ultimately killing the password.

But the biometrics touted to expand that view creates its own risks. They can have false positives, erasing an image that does not come from the genuine individual, and false negatives, not recognizing when the real person is present. Replicas can sometimes fool a biometric sensor. Some identifiers are likely to deep fakes, like the digital clones of people’s voices that lead to fraud. And unlike passwords or tokens, compromised biometric data is difficult to reset. You can’t easily redo your voice, face, or fingerprints.

Biometric databases have already been hacked. In 2019, a break biometric data managed by a security company revealed the data of one million people whose companies used fingerprints and facial recognition to provide access to offices and other facilities. Nationally, more than 110 lawsuits involving the confidentiality of biometric data were filed in the first quarter of 2022.

Discrimination is also likely to taint these protocols. Some people may refuse to use biometrics because it violates their religious, cultural or personal values ​​and abilities – whether by exposing parts of their body, photographing them or requiring physical contact. Not registering with these systems can prevent people from getting certain jobs, accessing healthcare, or traveling freely on public transport or in their own vehicle.

Perhaps less immediately apparent, biometric identification also expands the potential scope of government surveillance. Use of law enforcement facial recognition software is already growing and amassed huge databases. Consider the US Border Patrol’s collaboration in facial screening at airports: More biometrics will create more data that can be checked by authorities, who have unregulated access to facial recognition technology.

To mitigate the risks of hacking and surveillance, the public should push lawmakers to quickly enact biometrics privacy laws at the state and federal levels. As a model, we should look to Illinois. State Privacy Laws restricting the use of biometrics by businesses are the strongest in the country, notify an invoice presented to the California Legislature this year. But Texas and Washington have similar laws, Illinois penalties are particularly heavy: after a 2020 decision in federal state court, his employers can be held liable for more than $1,000 per day, per employee, for each day that biometric information was improperly collected, stored, or used. Illinois law has also been used to bring a lawsuit against Apple on its facial recognition technology. (Apple stores facial data that unlocks phones on the devices themselves and uses facial recognition on its camera software.)

Federal and state regulatory standards need to catch up on how businesses can use voice technology, fingerprints and facial recognition. The ability of the private sector to collect and use biometric data is largely unregulated.

Although they may seem like a step ahead of our password maze, these systems invite new threats. The risk inherent in a free-for-all biometric world is not easily rectified.

Heidi Boghosian is a lawyer and author of “”I Have Nothing to Hide” and 20 Other Surveillance & Privacy Myths”.