Second Opinion: Tired of memorizing so many passwords? Too bad: The alternatives aren't better yet

A screen at the airport shows approval of face ID for a passenger

By Heidi Boghosian

May 22, 2022 3:01 AM PT

To live a secure digital life, we rely on passwords — an average of 100 per person. Fernando Corbató declared this a “kind of nightmare.” The late MIT professor would know; he was credited with inventing the password.

An ensemble of global business leaders calling themselves the FIDO Alliance, so named for “Fast IDentity Online,” wants to ditch this norm. Alliance members Google, Apple and Microsoft doubled down this month on their commitment to a password-less world, suggesting users switch to “a simple verification of their fingerprint or face” — or biometrics.

Biometrics are measurements of unique physical characteristics — also including iris scans and voice patterns — that can identify individuals. Signing in via face or fingerprint recognition saves us from memorizing yet another password, and can reduce the risks of hacking and phishing — when online attackers trick users into handing over their passwords. These cybercrimes can cost Americans millions and spread their login information widely.

Are biometrics the answer? Many businesses and governmental agencies think so. These systems aren’t yet mandatory; Google, Apple and Microsoft’s password-free approach also includes using device PINs — like the code you might type in to unlock your iPhone — as a password alternative, alongside fingerprint and face verification. But we’re already seeing a troubling creep toward biometrics becoming the standard.

Microsoft’s Windows Hello biometrics program uses FIDO authentication technology to let users log onto devices with a fingerprint, iris scan or facial recognition. It had nearly 300 million monthly users by the end of 2020. In 2018, Delta Air Lines launched the nation’s first biometric terminal in Atlanta, in cooperation with U.S. Customs and Border Protection and the Transportation Security Administration. Passengers who opt for biometrics pre-register their photo ID information and have their facial features read so they don’t have to show ID at multiple TSA checkpoints. Major airports in Atlanta and elsewhere partner with Clear, a private-sector service, to provide this capability. Several Major League Baseball teams use Clear’s biometric technology at their stadiums so spectators can breeze through security points.

Much of the public buys the biometric-safety sales pitch, with nearly two-thirds of Americans reporting in one 2020 survey that they believe facial recognition software makes us safer.

But optimistic dreams of a password-free future downplay biometrics’ weaknesses.

Yes, biometrics are more reliable at verifying users’ identities than lower-tech options such as passwords, PINs or answers to personal questions, which often require memorization or password-tracking tools. Biometrics are harder to copy than this kind of authentication. They also usually, though not always, require the physical presence of a person to authenticate. Under FIDO’s protocol, biometric data are supposed to be stored only on a particular device, like your phone, and not on a server.

With the FIDO system, you could use a biometric or master PIN to sign in via software to individual websites, such as for online shopping, so long as those sites support FIDO technology. The long-term FIDO vision is to create a centralized credential manager that can sync between different sites and platforms, ultimately killing the password.

But the biometrics touted to expand this vision create their own risks. They can have false positives, clearing an image that does not come from the authentic individual, and false negatives, not recognizing when the real person is present. Replicas can sometimes fool a biometric sensor. Some identifiers are susceptible to deep fakes, such as digital clones of people’s voices that lead to fraud. And unlike passwords or tokens, it’s tough to reset compromised biometrics. You can’t easily remake your voice, face or fingerprints.

Biometrics databases have already been hacked. In 2019, a breach of biometrics maintained by a security company exposed the data of 1 million people whose companies used fingerprints and facial recognition to provide access to offices and other facilities. Nationally, more than 110 lawsuits involving biometric data privacy were filed in the first quarter of 2022.

Discrimination is also likely to taint these protocols. Some people may decline to use a biometric, because it violates their religious, cultural or personal values and capacities — whether by exposing parts of their bodies, photographing them or requiring physical touch. Not enrolling in these systems may prevent people from obtaining certain jobs, accessing healthcare, or traveling freely on public transportation or in their own vehicles.

Perhaps less immediately apparent, biometric identification also expands the potential reach of government surveillance. Law enforcement use of facial recognition software is already growing and has amassed huge databases. Consider U.S. border patrol’s collaboration in facial screening at airports: More biometrics will create more data that can be screened by authorities, who have thinly regulated access to facial recognition technology.

To mitigate hacking and surveillance risks, the public should push legislators to swiftly enact biometrics privacy laws on both the state and federal level. As a model we should look to Illinois. The state’s privacy laws restricting corporate use of biometrics are the strongest in the nation, informing a bill introduced in the California Legislature this year. Though Texas and Washington have similar laws, Illinois’ sanctions are especially hefty: After a 2020 decision from a federal court in the state, its employers may be liable in excess of $1,000 per day, per employee, for each day in which biometric information was improperly collected, stored or used. Illinois’ law has also been used to bring a suit against Apple over its facial recognition technology. (Apple stores the facial data that unlock phones on the devices themselves, and uses facial recognition on its photo software.)

Federal and state regulatory standards need to catch up with how corporations can use voice technology, fingerprints and facial recognition. The private sector’s ability to collect and use biometric data is largely unregulated.

Though they might seem like a leg up on our maze of passwords, these systems invite new threats. The risk inherent in a free-for-all biometrics-run world isn’t easily rectified.

Heidi Boghosian is an attorney and author of “‘I Have Nothing to Hide’ and 20 Other Myths About Surveillance and Privacy.”