Is biometry a safe alternative for passwords?

We see more and more articles about hackers running rampant and stealing important data - passwords, account information and more. With respect to this, people ask how this can be circumvented. Biometry is a rather popular answer to this question, but at the end of every article, there are the questions: "But is it good enough? What happens if our biometric samples are stolen? It lasts for a life!" and so on. This blog article is aimed at clearing things up a little bit, because while these questions are valid and good, there is rarely a fulfilling answer for them.

What are the possible solutions?

We could use biometry to log into our devices, accounts or wherever a password is needed. This gives a very high convenience factor, for we can use, for example, the same finger for everything, eliminating the need for hard-to-guess passwords and different passwords for every place (which would be the current way things work in an ideal world). With the mobile based fingerprint scanners, people are getting used to biometry. So the solution would be good from this respect. We will look at how safe this is in the next chapter.

For both mobile devices and PC attachments (whether it is built in or a form of USB extension), there are generally two ways to solve the problem. The first way is to store the biometric sample in the device, perform the verification locally and then send the authorisation through a secured, encrypted channel to the distant servers. The other method would be to send the encoded biometric sample over to the distant server, where the verification can be performed. With properly secured and encrypted channels, external, negative influence is of minimal chance. In the first case, proper session implementation is required to render any sent data one-time only, therefore safe. In the second case, if the sent code is stolen, it will only be good for one particular system, as every biometric system have different algorithms for template generation and decryption. But this is not the main reason why biometry can be the successor for passwords.

What happens if my biometric sample gets stolen?

A rather popular argument is that if a credit card or password is stolen, it can be easily replaced by another one, while a biometric sample is there for an entire lifetime. If it gets jeopardised, it's over. Correct?


There are multiple reasons why. Let us look at them! First of all, while many types of biometric samples can be stolen (some more easily than others), this is not true for all of them. For example, vein patterns are very hard to obtain currently. Moreover, if a system uses multi-factor authentication, for example, fingervein with fingerprint (which is an existing solution), obtaining either sample alone (or the fingervein, for that matter). But let's hypothesise, that a person obtained the samples, a device for which it is to be used, the account information that it unlocks, and ready to do something malicious. But the samples are not alive and this is a very important factor. More and more biometric identification devices are equipped with live sample detection, which means that it will not work with stolen samples (fingerprint casts, photographs, etc.). Note, that this most likely requires a dedicated identification device, so for example, a notebook camera may not be good enough for live sample detection on an iris. So however hard the hackers worked to obtain the sample, with a good live sample detection, all their work is futile. Nothing happens if the sample is stolen. And even if a liveness detection of ample quality is not yet implemented, there is a final factor in this question, and this is our closing argument: it may not be as lucrative as stealing a bunch of passwords from a server. Obtaining a biometric sample is not easy, as it is not easy to exploit a security loophole in an IT system and steal passwords, therefore it requires an investment and a lot of effort. While passwords can be stolen en masse, many in the same operation, stealing biometric samples must be tailored for each and every user. They can't be stolen together, and this puts a lot of workload on the bad guys. Because time is money, it may not be profitable, to do this. Since stealing passwords (or biometric samples for that matter) is for money, if there is no money in it, it will not be done.

So before we start to fear for our biometric samples, we should first think about how this can work and realize that it is not all that easy

Please register to access our content!

With just a few easy steps, you can get a 365 day full access to all our tests. Click Register to get started!

629 + VAT/year

Learn about the various biometric technologies available to you! Find the direction you wish to follow with our overview on identification technologies!

Already selected a technology? See how it worked out for others! Read our case studies to confirm your choice!

Choosing the proper device for your application is crucial to achieve the desired results. Our independent and professional tests will help you find the most suitable system that will best serve your needs.