Don't use biometrics as a password

This security tip was written on 24 April 2018.

There's a trend of having computers and phones accept your fingerprints or face as a password. Even the government seems to do it when calling you ("In Australia my voice identifies me.") This is a troubling trend for two reasons:

First, they aren't secret. Anything you touch is going to leave your fingerprints on it. Anybody who takes a photo of you will have your face. Anybody who records you will have your voice. It's like having a key that everyone knows and hoping locksmiths can't make copies.

Second, and the most important: You have a limited number of biometrics. Even if your biometrics weren't public but in fact a secret key, if your biometrics are stolen you can't make new ones. You have to rotate the ones left that aren't stolen and hope you don't run out. This is especially awkward if you use a different biometric per account. You can't just buy more fingers if you need more security.

If you have any questions about this tip or suggestions for new ones, please contact me.

Back to tips