Many journalists wrongly think that biometric authentication features, such as fingerprints or facial recognition, are a sufficient way to protect their digital devices. Although this technology has its benefits, it is not sufficient to replace strong passwords and multi-factor authentication.
Biometric authentication seems secure…
- A booming trend. Biometric authentication features such as fingerprint or facial recognition are increasingly used for unlocking phones and other devices, as it does not require remembering any passwords and can be easily accessed using one’s face or fingerprint — which is unlikely to change or duplicate.
- It has safeguards features. Several technologies developed ways to ensure that the individual accessing the device is alive or conscious: Apple’s Touch ID fingerprints scan checks electrical conductivity and the movement of a pulse, while some other applications using facial recognition require users to wink, smile, or move their heads on cue.
- Biometric data is encrypted. Ordinarily, the information stored to use fingerprints or facial recognition is heavily encrypted and stored only on the device — not on a Cloud or by the parent company. It may seem like an efficient security tool, but as with any emerging technology, there are limitations and risks to using it, especially for journalists holding sensitive information related to their work.
… but it does not guarantee a device’s safety
- Biometric data may be handed over to authorities. First, there is no guarantee that a device manufacturer will not share the stored biometric data when requested by the authorities.
- Artificial intelligence can generate fake fingerprints. Second, with recent developments in the artificial intelligence field, although still in their early stages, new technologies are emerging, which can trick biometric authentication systems by using AI generated fingerprints such as DeepMasterPrints.
- Biometric data can be directly found online. Additionally, authorities or third parties can directly access a journalist’s biometric data online or in surveillance systems by stealing images of the journalist’s face or of their fingerprints.
- Authorities already have people’s biometric data registered. In certain countries, the registration system for getting an ID card or for entering the country’s borders requires people to provide their fingerprints. Authorities can therefore access a person’s file that displays their face and their fingerprints.
- Journalists can be forced to unlock their device. Any third party can coerce a person into putting their fingers against their device or hold the device up to their face and pressure them to unlock it.
Passwords and multi-factor authentication still a must
- Use strong passwords. Journalists working on sensitive information should maintain strong password authentication as the primary method to protect their devices from the authorities or third parties with high-tech resources available at their disposal. It is more difficult to crack or force people to give away passwords.
- Use multi-factor authentication. If they decide to use biometric authentication, journalists should have multi-factor authentication as an additional layer of security such as strong passwords combined with additional walls of encryption.
- Use two devices. It is also recommended that journalists carry two mobile phones or devices: one with a multi-factor authentication access that contains sensitive information, and one that could potentially be used as a decoy in case they are required to hand it over to the authorities.