It is People and Shortcuts Not MFA that’s the Issue and Biometrics is not the Answer
There is a risk to Multi-factor authentication — but it why? Most businesses who choose to use it — decide to use the most insecure version of it. Hackers already know the loopholes and are more than willing to take advantage. There are several types of MFA, but each is more expensive, which is why the cheapest solution is the primary one chosen. My choice is the use of a hardware token over biometrics. These hardware devices offer a physical form of authentication that is passwordless. The problem for many is the relative complexity required to configure these devices to allow for recovery if the authentication device is lost or stolen. Enter the FBI. Of course, why wouldn’t the FBI wants businesses to use biometric factors – the government stores five zettabytes of data in Utah alone and they probably already have your biometric data. (Ever been arrested, applied for a security clearance, visa or passport, etc.)
The problem with biometrics is the effectiveness and the fact that the general public doesn’t understand how they work. Biometrics are hackable. Cybercriminals are using sophisticated tools in their criminal exploits. Did you know that hackers have used publically available photographs and 3D printing to fool some facial recognition systems? If they will go to that level of work, don’t you think an enterprising cybercriminal could obtain a full image of your fingerprint? You can always change a password, but have you ever tried to change your fingerprints or your face? It is impossible to change a biometric marker making inherently more of a security issue as a criminal can continue to use it forever. The bottom line is that biometrics are far from a panacea. So I ask you, are you willing to trade that for the convenience of getting into your phone? Real security requires a layered approach and not a single technological solution.