Stolen thumbprints. Contact lenses that replicate someone else’s retina. Travolta and Cage exchanging faces.
From Alien Resurrection to Zombieland, movies have been leaning on the Borrowed Biometric Bypass trope since long before the first ordinary person unlocked an iPhone just by looking at it. With so many memorable examples of Face ID-like security getting foiled, it’s no wonder some folks think twice before opting to sign in with their face or fingerprint.
But as someone who’s read the technical specs for biometric friendly authentication standards like FIDO2, I’m here to tell you that the book is way better – or at least more secure – than what you see in the movies.
How can Face ID be more secure than passwords?
When someone logs into your site with Face ID or Touch ID, they’re simultaneously presenting two pieces of evidence to prove their identity: something they have (their device) and something they are (their face or fingerprint).
It’s like getting two things for the price of one. By simply touching or holding up their device, the customer checks the boxes to satisfy the NIST standard for multi-factor authentication (MFA). But that’s not all. There’s a whole bunch of other reasons that it’s a more secure way to sign in:
- The customer’s biometric profile data – the image of their face or fingerprint – is stored locally on their device. Smartphone manufacturers don’t keep a centralized database of faces or fingerprints. So unlike passwords, there’s no high-value treasure trove of credentials for bad actors to hack, steal, and sell or post on the dark web.
- Identical twins notwithstanding, an individual customer can’t share their face or fingerprint. This makes Face ID and Touch ID resistant to attack vectors like credential stuffing or social engineering.
- A customer also can’t lose or forget their face or (barring tragic accidents) their fingerprint. Adopting a passwordless flow based on biometrics can help protect your customers from account takeover (ATO) schemes that attempt to manipulate password recovery flows.
- Since customers also can’t change their fingerprint or face (unless they’re in a John Woo film), the vulnerability that can exist in some password change workflows is also eliminated.
What about passwords plus one-time codes?
Using one-time codes is a solid approach. It’s both easy for customers and secure. But Face ID and Touch ID are better.
You see, an extra-determined attacker can find ways to wheedle an SMS or email out of an unsuspecting victim with social engineering or by using phishing to put malicious software on their device.
Why can’t you steal biometrics?
The reason password breaches are so common isn’t because they’re easy to do. They happen so often because the target – thousands of passwords or more – is worth the attacker’s effort.
That’s not the case with mobile device-based biometrics. Since everyone’s biometric info is stored individually on their device, there’s no central vault lined with stacks of harvested faces or fingerprints. In short, if you’re an evil doer, the effort to hack a phone probably isn’t worth the “reward.”
In addition, biometrics aren’t sent via the internet when you use Face ID or Touch ID, so they’re not vulnerable to an attacker plucking your bits and bytes out of thin air. The biometric analysis happens on the individual device, and the biometric data remains in a secure enclave on that device. Even if you’ve rooted it, you’re going to have a really tough time trying to steal it.
Getting a bit deeper into the tech, when a customer authenticates, a FIDO2-based transaction doesn’t use their biometric data directly. Instead, it uses a cryptographic token protected by the biometric profile. Because it’s bound to that client and server, the token is only good for that particular website.
It doesn’t get much more secure than that.
Can you fool Face ID?
You can try, but it’s way harder than you think (sorry, movie fans).
On most devices, Face ID and Touch ID incorporate some seriously strong algorithms that are designed to thwart spoofing attempts. For instance, Face ID employs liveness detection and depth mapping. By processing data from sensors built into modern smartphones – which BTW have some of the most sophisticated biometric technology on the planet – these algorithms can sense things like lighting conditions and movement.
Masks, photos, videos…even deep fakes can’t fool it.
What are the limits of Face ID and Touch ID?
For all their sophistication, biometrics aren’t perfect. For example, Touch ID will accept fingerprints that aren’t precisely centered on the home button, but it doesn’t work for customers who wear surgical gloves. Similarly, Face ID adapts well to makeup and eyeglasses and pandemic-driven enhancements can even accommodate face masks, but if you’ve ever had to enter a passcode because your phone didn’t recognize your squinty morning face…well, you’re not alone.
Another historical limitation is that biometric credentials can’t be shared across a customer’s devices. “Multi-device FIDO credentials” (aka passkeys) solve for this inconvenience, but until they’re widely supported, the customer with an Android phone and a Mac might have to establish two sets of credentials.
And of course, there are always edge cases. Some people – including perhaps some of your customers – have physical characteristics for which algorithms haven’t yet been extended.
3 tips for implementing biometric authentication
If you’re a customer, seizing the security advantages of biometrics is as easy as using the tech built into your device. It’s vastly more secure than passwords and it’s only gonna get easier when passkey technology becomes prevalent.
If you’re running a website or an app and you’re rolling biometric authentication out to your customers, there are a few things you can do to make it smoother, starting with these three tips:
- Don’t force customers to adopt
Even customers who trust biometrics may have a finicky external camera or some other reason for not using it on certain devices. Set up your customer identity and access management (CIAM) solution to detect the customer’s device and invite them to opt for Face/Touch ID at appropriate points in the journey.
- Know your regulations
Gaming, utilities, and other industries may be subject to regulations that preclude the use of biometric authentication. Until the regs catch up with the technology, your brand may not be able to take full advantage of the enhanced security of Face/Touch ID.
- Streamline customer migrations with OIDC protocols
Obviously, a band new site or app that has all new users is the simplest implementation. You can build in biometrics from the start and just bask in the smiles of your marketing and security teams. But that scenario is pretty rare.
If you’re like most brands, you’ll need to migrate existing users to biometric authentication. Fortunately, modern CIAM systems have built-in orchestration capabilities that make this easier. Using orchestration, when a customer signs in with their password, you can allow them to enroll on their Face/Touch ID-enabled device.
The best of both worlds
In our business, biometrics are the rarest kind of technology – one that delivers the best security AND the best, most elegant user experience. By tying authentication to something that is virtually impossible to hack, steal, forget, or lose, you get security that can’t be beat – all with just a glance or a touch.
(And if you wanna trade spy movie recommendations, we’re down for that, too.)