Are fingerprint IDs really secure?

It’s been nearly three years since Apple introduced its iPhone 5S in September 2013 and, with it, the phone’s integral Touch ID fingerprint sensor. Fingerprint scanning as a method of user authentication existed well before the iPhone 5S, but the popular device brought this biometric security technology from the cybersecurity fringes into the mainstream.

Today, the use of fingerprint scanners has become commonplace across the consumer-device landscape, joining more sophisticated systems deployed to secure corporate systems and facilities. On balance, the proliferation of these scanners has been a positive addition to the arsenal of cybersecurity tools, but they are by no means a “magic bullet” solution for authenticating users and granting them access to sensitive systems and data.

Market estimates and forecasts from BCC Research LLC illustrate the growing popularity of fingerprint scanners. The global market for all biometric authentication technologies totaled $14.9 billion in 2015 and will grow to $41.5 billion in 2020, BCC Research predicts. Automated fingerprint identification systems (AFIS) constituted $8.8 billion (67 percent) of the 2015 total, more than all the other biometric technologies (e.g. iris/retina scans, voice matching, hand geometry, etc.) combined. AFIS systems will account for $24.4 billion (59 percent) in 2020, exhibiting a compound annual growth rate of 23 percent, according to the market research firm.

Securing more users

Many of the individual consumers using fingerprint scans to access their phones previously didn’t even lock their phones when doing so required the use of a typed password. By any measure, using some form of security rather than none is clearly preferable. Consumers have embraced fingerprint scans because they don’t carry the inconvenience and memorization negatives associated with passwords.

Even better, fingerprint-based authentication is generally a very solid security technology. Fingerprints are unique and provide strong authentication that a user is really who they claim to be, rather than someone who just stole a legitimate user’s password. While it is possible to steal fingerprints – either by physically lifting a print from something a person touched, or by hacking into a digital representation of the print stored on a device – the likelihood of this occurring to any individual consumer is quite small. (Well-designed devices, including the Apple iPhone, don’t store digital copies of fingerprints, but use algorithmic methods to store a difficult-to-break “hash” of the biometric identifier.)

Dual factor still strongest

That said, as with any authentication method, it’s best if fingerprint systems are paired with secondary authentication techniques. For many consumers, however, typing a password along with scanning their fingerprint is too much to ask, as it negates the convenience of using the fingerprint identifier alone.

Organizations needing to protect corporate devices, networks and data can’t afford to be so cavalier. For them, two-factor (or more) authentication methods must be considered a requirement, not a luxury.

AFIS solutions can be a powerful component of these authentication schemes, but – as with all security controls – can never be considered 100 percent failsafe. That said, when deployed intelligently, fingerprint scanners and other biometric technologies have already demonstrated their effectiveness and their value. These solutions will become ever-more sophisticated, and commonplace, as organizations seek to bolster their cybersecurity defenses.

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.

How much is a data breach going to cost you?