Biometrics May Ditch The Password, But Not The Hackers : All Tech Considered Companies are investing in more secure methods to verify people. But even biometrics — like fingerprints and voice recognition — can be defeated, and they raise privacy concerns.

Biometrics May Ditch The Password, But Not The Hackers

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


And now to the security of our devices. Passwords get hacked a lot. In an effort to move beyond passwords, big companies are embracing biometrics. Think fingerprints, voice-recognition and iris scans. But as NPR's Aarti Shahani reports, ditching passwords for eyeballs is unlikely to make hackers go away.

AARTI SHAHANI, BYLINE: I'm at a big security conference in San Francisco. It's called RSA, and there are thousands of people here in the Moscone Convention Center selling products to make life online more secure.

CONOR WHITE: So I'm going to actually show you how I log into my bank account.

SHAHANI: Conor White is an executive with Daon, a biometrics company.

WHITE: So I've just launched our mobile app, and you can see here I'm straight into the app. Watch hot it authenticates me.

SHAHANI: He doesn't type in a password. He holds his iPhone 6 up to his face like he's going to take a selfie.

WHITE: And watch what happens.

SHAHANI: He blinks on purpose.

Why'd you blink?

WHITE: I blinked because photographs don't blink. So it's a basic test to make sure that it's not someone holding up a photograph of me on the Internet, so...

SHAHANI: Clever, clever.

And if selfie security doesn't work - say you're in a dark room - you can use your fingerprints instead or your voice. White reads this sentence to get into the app.

WHITE: My identity is secure because my voice is my passport.

SHAHANI: His company recently landed a big contract with the bank USAA to do biometric identification for their account holders. White says bankers are calling him regularly now because the old system has failed. Biometrics are a great alternative, he says, because they're super personal.

WHITE: I wear my face every day. It's the only face I have. It's, as I say, a face only my mother could love.

SHAHANI: And if it feels too personal, don't do it.

WHITE: At the end of the day, it's down to choice. If people feel uncomfortable, they don't have to do it. They can continue to go with the password-based model. They may not get the level of service that they want, but it's their choice.

SHAHANI: It's a choice of for now, but given the pace at which companies are putting biometrics into their hardware, it could become the new normal soon. Patent attorney Yuri Eliezer, with the firm SmartUp, says a decade ago there were just 46 patent applications for biometrics. Last year, he counted at least 567.

YURI ELIEZER: Oh, absolutely, yeah. It's definitely a growing number, and we anticipate that it's going to continue to grow.

SHAHANI: Apple, Samsung, Google, Microsoft, Intel - they're all filing. Eliezer says biometrics is part of the blueprints for the newest lines of smartphones and fitness trackers.

ELIEZER: This is something we're always holding in our hand or having in our pockets always so close to our bodies. And now the fact that we could integrate these sensing devices into our mobile devices, it makes it all the more useful to aggregate and collect data on us.

SHAHANI: And provide something useful, too. According to patent filings, Apple wants to use biometrics to lock and unlock messages - keep that text for your irises only. Microsoft is interested in entertainment value and is working on a device that monitors your heart rate or blood oxygen levels - maybe to adjust the music while you play Xbox.

ELIEZER: And if your heart rate's increasing, the music might speed up or slow down based on the environment the gaming providers are trying to create.

SHAHANI: The biometric boom raises some well-known privacy concerns. It also raises some lesser-known security concerns. David Cowan with Bessemer Venture Partners is an investor. He's put over $100 million into digital security companies, but he refuses to invest in biometrics.

DAVID COWAN: Either a password or a biometric can be stolen, but only the password can be changed. Once in your fingerprint is stolen, it's stolen forever, and you're stuck.

SHAHANI: Hackers have already made dummy fingerprints using pictures of people's hands available online to swipe into the iPhone 6 scanner. Cowan says in a world where just about anything can be hacked, the cost of biometrics is just too high. Aarti Shahani, NPR News, San Francisco.

Copyright © 2015 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.