Banks Replacing Passwords With Biometric ID

Password protection is a remarkably fragile layer of security that has come under recent scrutiny both for the weak passwords most users choose online as well as the often sloppy security measures taken by corporations to safeguard customer data. 

It is hard to know which is worse, the fact that many tens of millions of people use "password" or "123456" to protect their most valuable information online, or the fact that weak corporate security at billion dollar corporations has compromised the personal information of hundreds of millions of people around the world, including often reused-passwords. 

Big business believes it now has the answer to the first problem in biometric identification, but unfortunately it may also make their weak security an even graver threat.

Fingerprint scanning was the first biometric technology to be implemented and it is already in wide use at Bank of America, Wells Fargo and JP Morgan Chase, with adoption rates expected to rise. 

Until a few short years ago, this wouldn't have been possible without providing customers with costly finger print scanners en masse. But now the fingerprint readers on some smart phones, such as the iPhone, make this a popular choice for banking. 

In some systems, the fingerprint must be scanned from the customer's own phone as well, adding an additional layer of security. Bank of America claims that 33% of its customers now use fingerprints to access their accounts since the option was introduced in September.

Biometric identification is not just about fingerprints though, as facial recognition, voice pattern recognition and iris scanning are all seeing widespread adoption as well. Iris scanning has been lauded for its security benefits and is now in use by corporate banking clients where extraordinarily large sums of money are at stake. 

The company's financial officer is required to present his or her iris for a detailed digital photo and the pattern of the iris is compared with that on record. 

The USAA, which provides insurance and banking services to US military personnel, recently boasted that 1.7 million of its customers have used either facial geometry, voice patterns or fingerprints to access their accounts.

Before we begin to celebrate the demise of the password and all of its inherent weaknesses, perhaps we should consider the dangers of submitting a complete biometric profile to every corporation that we have contact with. 

Before addressing several of the darker aspects of information security, there are the simple matters of voice patterns changing when we have a cold, facial scans being disrupted by poor lighting and the numerous difficulties that come with fingerprinting. 

Laborers who work with their hands, doctors who wash frequently, those suffering from dermatitis and many others, including the elderly for whom skin deteriorate with age, have fingerprints that cannot be read. 

Will they be shut out of such systems? Perhaps they will be thankful when they consider its other drawbacks.

When a password is lost or compromised, the user should has the option to reset their account and change the password. This option is fairly simple, even though the hacked password may have other consequences, but passwords are open to modification whereas biometric data is inherently not. 

When, not if, a hacker compromises a company's biometric database, they will gain access to unchangeable customer data used to prove identity and not only for that company, but for every company that has adopted biometric authentication. 

With widespread adoption of biometric authentication, a single large hack could permanently compromise tens of millions of customers who would thereafter have no way to establish their identities. 

Remember, the first problem is weak passwords created by users (which biometrics solves) but the second big problem is corporate database security (which biometrics may make much worse). If we can't trust companies with simple passwords, what would indicate that we should trust them with unchangeable, biometric details?

It warrants mentioning that whereas many would vigorously oppose, as a gross invasion of privacy, a government mandate to collect every citizen's fingerprints, iris scans or other biometric data, there has been little recognition that a corporate requirement would amount to very much the same. 

The controversial 'third-party' doctrine law in the US and other countries, for example, establishes that there is no expectation of privacy from government search if a person has already granted a company access to that information. 

This has been applied to emails, files in the cloud and web history held by Microsoft and Google, but soon the government could have access to massive biometric databases. 

The United States also offers protection against self incrimination through testimony and, although recent case law has been mixed, in general the government cannot compel a defendant to divulge a password. The same, however, cannot be said for extracting any biometric data the police require for access to private records.

If biometric scanning is linked with smartphones, as it has been thus far, the obvious expectation is that every customer will have a smart phone. Gone will be the days of paper transactions, of living without a constant connection to electronic devices and monthly subscription fees, especially with recent threats of a cashless society. 

Personal privacy is sacrificed for security in the hands of 'Authority', individual freedom is replaced with a wired connection to big business and the poor may be excluded from the financial system entirely.

From some angles, it feels like the recent publicity over password hacking is a great excuse for reaching for more control by the same companies who have already allowed hundreds of millions of customers' data to fall into the hands of criminals. 

While taking an iris photo or scanning a finger print may be quick and easy, soon we may miss the days of the good old password.