Should You Use Biometric Locks on Your Devices?
I considered buying a fingerprint-based door lock the other week. It was not cloud-connected or “smart” or anything like that, and ultimately I decided $200 was a bit too much to spend on a whim, but I did stare at it and read the box for quite some time. When I told this to various friends and family, they all seemed floored that I even considered an electronic lock. Truthfully, I know how to pick locks so I’m painfully aware of how grossly insecure my traditional cylinder lock is. I’ve spent many hours pondering the better solution with the appropriate balance of risk and reward.
The fact is that just like cylinder locks, our common digital locks (aka passwords) suck. They’re hard to remember. If you can remember them, they're too weak. If you can't, you're placing your trust in a password manager to not get hacked or corrupted. Furthermore, they have no real guarantee of safety. My significant other can log into this account and post a blog just as easily as I can, provided she has my password and any multifactor devices. As such, many cybersecurity experts actually recommend biometric locks like fingerprint, face scan, or retina scan instead. There’s a reason they were so popular back in 90’s spy movies. And honestly, that's not wrong. But there’s also a myriad of studies and evidence out there to prove that they’re not without risk, either. So this week I thought this might be a good topic to tackle.
What’s A Biometric Lock?
For those who haven’t figured it out based on context clues, a biometric lock is a lock that only opens when it confirms your biological identity: fingerprint, face scan, and iris being some of the most common. Almost all modern phones come with the capability.
On its face (no pun intended), a biometric lock is unarguably more secure. A social engineer can guess my password or security questions (unless you’re using the techniques I recommend on my website) and similarly, an attacker can steal my password and decrypt it using rainbow tables and brute forcing. But the odds that a malicious hacker or social engineer can chop off my finger or somehow copy my fingerprint? Sure, it’s possible. Again, I reference the 90’s spy movies. But that’s relatively advanced stuff – even by today's standards – and honestly this comes down to threat model. I’ve said before that this website is not designed for the hardcore Snowden-level whistleblower who needs to disappear. It’s for the average person who just wants to regain some privacy and security. The odds that anyone is going to go through those kinds of hoops to get their hands on your biometric identity is almost nonexistant. Having said that, I encourage you to ask yourself what the odds of that are. Even if you’re not a journalist, you might have a really driven stalker who would go to some pretty extreme lengths.
Not All Biometrics Are Equal
Despite what I said just a moment ago, not all biometrics are equal when it comes to how well they can protect you. I’m not even talking about click-baity articles that talk about how the iPhone can be unlocked in less than two minutes (]by pointing it at the sleeping owner’s face](https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/)). It’s important to note that literally everything is hackable and finding out that any system can be hacked by using twelve Androids, a home-cooked app, and direct access to a user’s device is kind of a no-brainer. It’s a real-life version of the infinite monkey theorem (except much more likely). Anybody with sufficient time and resources can hack anything.
No, I’m not talking about theoretical hacks and advanced exploits. I’m talking about actual, legitimate threats that could be posed to the average user. Consider this story about a woman who unlocked her husband’s phone while he was sleeping via his fingerprint scan and discovered he was cheating. Or this clip from sitcom Brooklyn Nine-Nine where one character unlocks another’s phone simply by pointing the camera at her face. Now it should go without saying that I’m neither endorsing nor encouraging cheating or any kind of illegal or unethical activity. But suppose my partner unlocks my phone while I’m napping and sees what I’m getting her for Christmas? There’s plenty of valid, legal reasons for you to want to control who has access to your device. If you’re a parent and you have small children, do you want just anyone to be able to pick up your phone and look through it at pictures of your kids or texts with them? I understand that in an ideal world, you would maintain positive control of your device but that’s not always possible. People make mistakes, get wrapped up and leave things laying around on their desks while they run to the bathroom. I leave my phone plugged in to charge overnight in another room. Or even at work sometimes I'll leave it plugged in while I work in another spot far away from an outlet.
So Should You Use Biometrics?
This as a question I’ve wrestled with for a while now. The answer is I don’t know. First off, it depends on your threat model. I think my threat model is very low. I don’t think anyone will go out of their way to lift my fingerprint and make a rubber copy. On the other hand, I am politically active and I wouldn’t feel comfortable with face lock because I know that if I ever got detained a cop could simply flash the phone at my face to unlock it. So personally, I’m comfortable with fingerprint lock but facial ID. But then there’s the question of who has access to my biometrics and what are they doing with it? I use an iPhone. Apple claims they never have a copy of my fingerprint and that what they store is simply a digital signature – sort of like a password hash. However Apple has also claimed that they don’t have humans listen to Siri recordings, which turned out to be a lie, so I don’t know how much I trust them. Would I use biometrics like fingerprint on an air-gapped machine like the lock I mentioned earlier or a laptop I use for backups? Probably.
I wish I could give a more concrete answer. Usually I can at least say “here’s what I’d do, but you do you.” In this case, I don’t think that applies. There’s just too many variables. But so many people in the privacy community are opposed to biometrics (and often for good reason) that I wanted to discuss them in a more in-depth fashion. As with almost all technology, biometric identification isn’t bad. Who uses it, how, and what they do with the data can be. No matter what protection you go with for your devices – be it password, PIN, or biometric lock – make sure that you’ve done your research. Know the shortcomings both technologically, practically, and legally. Know what the risks and benefits are, know the company and how it’s supported, and most importantly make sure it’s secure. Fingerprint is unarguably more secure than a phone PIN of “0000.” But a 16-character alphanumeric passphrase might be more secure than a face print if you’re a celebrity. As with many things I discuss, there is no one size fits all, only education so you can decide what size you need.