Can biometrics replace any existing authentication technology today?
Yes, biometrics can replace existing authentication technology today but there is a lot of work to be done and additional security layers are needed to be commercially viable. For example, I do not regard FaceIT from Apple as secure due to twins and printed masks that have been proven to thwart the technology. In addition, biometrics should only be used for authentication or authorisation but never both at the same time. Biometrics alone, without a pin or other verification media is insufficient. The policies and technologies need to evolve to ensure a fingerprint or face ID alone cannot jeopardise the integrity of the system and that security policies for storage, encryption, and even biometric rotation (like password rotation) can be successfully implemented and enforced.
When should biometrics augment existing solutions?
Consider any security model that is easy to document or communicate via paper, verbally, electronically, or even via a text message. A username and password or pin is a traditional example of this. Both strings are easy to document. Biometrics is a great addition to this type of technology and ensures the proper identity is actually the one trying to authenticate since biometrics cannot be communicated; only spoofed.
When should biometrics never be used?
Biometrics should never be used alone for access, regardless of authentication or authorisation.
Door locks are a perfect example of this problem. A stolen fingerprint can easily be manufactured to bypass the physical security of the device and compromise the contents behind the door. A second example is a mobile device. A fingerprint is used for authorisation and authentication in the case of logging in, potentially accessing a financial mobile pay app. While this is not as risky as a biometric door look, since it assumes you have possession of the device, it represents an unacceptable risk for entities securing more information than just a consumers device, personal financials, and information. I would never allow an application on a mobile device that uses its local biometric system alone to access sensitive data within an organisation. There should always be a second mechanism on top of that to prove the user’s identity. This could just be a basic pin. Biometrics should never allow full access alone without another form of challenge and response.
Are there processes in place to purge or archive biometric data? What is the data retention policy for it?
The introduction of biometrics is beginning to challenge our current security policies for password retention and password age. For example, how often should a user change which fingerprint is stored in the system from the thumb to the little finger and the other hand. How do you address injuries or handicapped individuals? Does rotating your fingers periodically actually make you more secure? I would argue it does. With that in mind, how do you accommodate biometric history similar to password history? There needs to be policies developed per organisation that keeps biometric data for a finite time and purged when obsolete. Modelling the data after current policies like every 30 days for a new finger makes senses but exceptions will always occur and as discussed above, the pin or password associated with the biometrics should be rotated as well. All of these need to be documented and incorporated into existing security policies and propagated to the end users in the form of employee handbooks and security training.