Don't overdo biometrics, expert warns
"Today, many of the major banks are using biometrics to log into your accounts on your mobile devices," said Protegrity CEO Suni Munshani.
As biometric access replaces passwords it adds convenience for users. But many companies are deploying the technology too casually, he said.
"Biometrics should be used in a far more cautious manner," he said.
According to Gartner, 40 percent of smartphones will have biometric sensors by 2016.
Meanwhile, FireEye researchers Tao Wei and Yulong Zhang demonstrated the ability to harvest fingerprints on a large scale from some mobile devices at the Black Hat conference this summer.
"Not all the vendors store the fingerprints securely," wrote Wei and Zhang in their report. "While some vendors claimed that they store users' fingerprints encrypted in a system partition, they put users’ fingerprints in plaintext and in a world-readable place by mistake."
FireEye researchers Tao Wei and Yulong Zhang
For example, HTC One Max stored fingerprints in a readable image file that any unprivileged process or app could access.
If the biometric scans are also stored elsewhere, the risks multiply.
And the dangers are not just theoretical. Late last month, the Office of Personnel Management admitted that 5.6 million fingerprints had been stolen from its servers -- not just 1.1 million as had been reported over the summer.
Some of these fingerprints belonged to federal employees with secret clearances.
Meanwhile, if a password is stolen, it is relatively simple to reset it with a different one. It is currently not practical, however, to provide users with new fingerprints, voices, or eyeballs.
That puts biometrics in the same category of data as other permanent personal identifiers, such as Social Security numbers. Since they can retain their value for years -- and will only become more valuable as the use of biometrics expands -- they are likely to become prime targets for hackers.
According to Munshani, a better use of biometrics is to save it for second-level controls.
"The data is unique, one-off, and must not be used in the ways that passwords are used for access management," he said. "It should be used for authorization instead of authentication."
For example, biometrics can be used to confirm password or address changes, or payments to new vendors, or to allow access to particularly sensitive corporate systems.
"Biometric data needs to have a much higher level of urgency associated with it," he said. "There is no doubt in my mind about it."