• United States




The dark side of biometric identification

Apr 26, 20165 mins
AuthenticationData and Information SecurityGovernment

Authorities are using your fingerprints, your face, and even your DNA to authenticate you. If you think that will stop cyber fraud, think again

As I read about the Kuwaiti government’s plan to test and log the DNA of everyone in that country, I was reminded of what a bad idea such schemes are. It’s great for law enforcement, I guess, but it’s terrible for personal privacy and overall security.

What do I mean that it’s bad for security? Wouldn’t DNA be the ultimate biometric identifier? Wouldn’t using DNA on every system worldwide mark the end of cyber crime?

No, it would result in the exact opposite — and we’re almost there already. Before I explain myself, let’s talk about all the ways DNA and other biometric identifiers are collected.


My fingerprints have been taken for every security clearance I’ve applied for, whether or not I was accepted, whether or not I completed the process. Part of the application process is that they get to keep your fingerprints forever. They end up in a national fingerprint databases, even if you’ve never been suspected of a crime.

If you travel between countries, you’ve probably given your fingerprints on arrival. I’ve given my fingerprints to several different countries, including my own, several times. You can be required to submit to fingerprinting as part of your job. States can even require a full set of fingerprints for getting a driver’s license. I unlock my smartphone using a fingerprint; I know many people who do the same to log on to their desktop computer or to verify their identity to a time clock.

Facial recognition

The idea that you could walk past a security camera and get positively identified was science fiction until a few years ago. Today, it’s commonly used and fairly accurate across hundreds of law enforcement jurisdictions. I hear they even use it at the Super Bowl and other big gatherings.

I don’t know who has the best facial recognition, but Facebook has to be right up there. I’m still amazed how accurate it is. Several studies say Facebook’s technology is more accurate than the human brain and even more accurate than the FBI.

But now facial recognition is used everywhere, including in stores, cars, and everyday access control systems. Even your computer will get facial recognition as a logon choice very soon. Satellites and drones will have it, if the military versions don’t already. It’s hard to keep up.


What can be more personal than your DNA? Although DNA repositories aren’t as popular as other biometric databases, they’re the next big thing. Has your DNA been collected yet? I know mine has.

I submitted my DNA for ancestry analysis. More than likely it ended up inside a big database. Several big ancestry websites and even Google are helping to create huge DNA databases.

Medical researchers and cops are increasingly accessing these public sites, along with their own databases, to solve medical and criminal mysteries. In a story about “superhero DNA,” researchers found 13 people with more than 400 horrible genetic diseases (they had all the markers) who didn’t show symptoms. Buried in that article: Researchers searched through the DNA of more than 600,000 people without any of the parties being aware.

Meanwhile, the cops are increasingly asking for access into otherwise private DNA databases. In at least one case (and probably many more), people are being detained or arrested because their DNA is similar — not an exact match — to an unidentified suspect’s unidentified DNA.

At what point will hospital birthing centers be required to take newborn DNA and submit it to a centralized data system? It may be done in the name of science and decreasing disease, but it means that everyone’s most personal and sensitive identifying biometric, DNA, will be stored in one or more databases. By the way, did you know that anyone can buy a portable DNA analysis machine and have a full analysis in one hour?

The problem with biometric identification

Here’s the difficulty: Most biometric identities can easily be stolen and reused. We shouldn’t use biometric identity for anything serious or critical, because we have no way of preventing bad people or malware from reusing it maliciously.

None of the places that store your biometric identities are safe or unhackable. No matter how much they may claim your biometric identity is safe, they’re either lying or clueless. We need look no further than the security clearance database stored by the U.S. government that contained, among other details, the fingerprints and detailed personal history (including friends’ names and addresses) of every person that submitted an application for a security clearance. Chinese hackers stole tens of millions of fingerprints and identities going back as far as 1982.

Am I supposed to believe that Kuwait, 23andMe, the FBI,, and every other database that stores my DNA (or other biometric identity) will remain unhacked forever, especially when no one believes any of those databases are secure today?

There’s the rub. If someone steals your biometric identity, they can reuse it — and you can’t repudiate it. The system you log on to can (and should) require a second authentication factor, like a PIN, but once your biometric identity is stolen, that factor ceases to be a reliable factor … forever.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author