Biometric authentication: fingers crossed

Biometric features on ING's banking app

Biometric authentication. Who does not know all about this? Well, me. So let's start with a concise definition by TechTerms.com:

"Biometrics refers to technologies used to detect and recognize human physical characteristics. In the IT world, biometrics is often synonymous with "biometric authentication," a type of security authorization based on biometric input."

Next question: why do I even bother about biometrics? This video by the Dutch banking company ING made me wonder (sorry, it's in Dutch):

https://www.youtube.com/watch?v=lCHG4pBEJMw

I have a banking account at ING and I am a heavy user of the ING banking app on my iPhone. The introduction of fingerprint authentication is the second biometric feature within ING's banking app. They already provide a voice recognition feature called 'Inge'. At this moment, I am already using Apple's Touch ID for granting access to my phone, but when somebody else accesses my phone, he or she cannot take any actions that directly lead to that person's financial gain (nonetheless, that person can saddle me with a high telephone bill).

Having said that, accessing my banking account and actually doing payments through this fingerprint scanner can lead to financial damage when someone 'knows' my fingerprint. So for me, this is one step too far. Let's be more concise. Specifically, this means that my fingerprint could be in hands of a commercial company (although they claim not to save it; I remain suspicious). This company translates the characteristics of my fingerprint into an algorithm and saves it somewhere where I cannot lay my finger on...

What if more companies get the same idea as ING and ask me to 'please hand over my fingerprint'? My (probably) unique fingerprint will be stored by a dozen of commercial companies at databases in cities of countries that I cannot pronounce the name of and where I do not know about the rules of privacy legislation. This does not sound right, nor safe. Now why should I be glad with the introduction of this new feature on my banking app? And how is my fingerprint saved on my iPhone at this moment?

Apple claims to not save the fingerprint. Here's what they say about the technology:

"Fingerprint data is encrypted and protected with a key available only to the Secure Enclave (a chip developed to protect passcode and fingerprint data). Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of the chip and the rest of iOS. Therefore, iOS and other apps never access your fingerprint data, it's never stored on Apple servers, and it's never backed up to iCloud or anywhere else. Only Touch ID uses it, and it can't be used to match against other fingerprint databases."

Let's assume this is true. The iPhone stores the result of a "hash," which may be unique, but can't reveal your fingerprint. Now what about any possible security leaks in iOS? Can we be sure that there is no vulnerability in this centre of biometric information about me? I am afraid not. We just haven't found them yet.

Fingerprint Pros & Cons

After some short reading on several websites and using my own imagination, I came up with the following pros and cons. Can you think of some more for yourself?

Wrap Up

I myself will play a waiting game when it comes to handing over my fingerprint. Especially to commercial companies, since there is little practical experience and no supervision on how and where they'll save it. So let's keep our fingers crossed that this type of authentication method one day will be safe enough and eventually saves us money instead of costing it due to fraud.