Everyone says "passwords are bad." They are insecure by design because in order to be secure, they must be complex. If they are complex, almost no one can remember them. So, people either dumb-down their passwords, or, record them insecurely somewhere. ("Post-it note under the keyboard" sound familiar?)
So, I decided to use biometrics in my security app. With the latest devices having built-in fingerprint scanners, I figured that would be the idle tool. After a long development process, I perfected my fingerprint ID system, with biometric information stored in a database on the backend authentication server.
All tests and initial implementation went great. It worked! People authenticate with just a touch of a finger. So, we went live across the board.
What could possibly go wrong?
Hackers cracked their way into the server and stole the database. That's what could and did go wrong.
The bad guys made off with 80000 customer records, which included all the digitized fingerprint scans. And, since I made ten separate accounts while testing, the hackers have all my fingerprints. Since I'll never have any other fingers, and therefore no new or different fingerprints, I am basically screwed - forever.
At least with passwords, if the database was stolen, I could pick new passwords in the future. With fingerprints, I only got 10 chances to keep them secure. And now those are gone.
Biometrics - an idea that sounds so good on the surface, but, should never be used in the real world.
