As you might have read last week, there was a huge data breach of over one million people in the UK that exposed the fingerprints as well as facial recognition information, unencrypted usernames and passwords. This is one of the first times a biometric breach of this scale has been reported.
I have talked about this very issue recently in the context of “FaceApp.” As such, a biometric hack like this doesn’t come as a surprise to us.
To understand how you can protect yourself against biometric hacks, it’s first important to understand how biometrics are used in mass market devices such as Face ID, Touch ID, Android Biometrics and Windows Hello. I wrote a blog article about this last year:
As I wrote in that blog post: “There is a misconception among the general public regarding biometrics and their use in securing our private information. The common belief among people is that biometrics, such as Touch ID or Face ID, can be used to eliminate traditional passwords. However, this is far from the truth. As described here, biometrics only serve as a convenience feature for users, or as a second factor of authentication.”
To protect yourself against a biometric cyberattack, you should do the following:
Use unique, high-strength passwords for each of your websites, applications and systems and;
Use Two-Factor Authentication on all of your websites, applications and systems whenever possible.
You have to assume that your facial geometry, fingerprints and other biometrics are probably already in the hands of cybercriminals. Unlike a password, your face and fingerprints can’t be reset and therefore, they can’t be used as a replacement for a password.
When it comes to protecting your online accounts and your personal information, biometrics should only be used as a convenience feature on your device or as a second factor for authentication. Biometrics can log you into many apps. However, it’s important to know that the biometric is simply entering your saved password into the app’s login screen. If a cybercriminal wants to hack your online account, they won’t necessarily steal your phone. Instead, they will attempt to remotely log into the target website with your weak password. This is why all accounts that use biometrics must be protected by a strong and unique password.
In the case of Keeper, we fully support biometrics on our native applications as a convenience method for authenticating into your account. However, all of our users are first required to create a strong master password. Further, our business customers enforce the use of strong master passwords for protecting each employee’s vault as well as randomly generated, high-strength, record-level passwords when deploying Keeper to employees.
In addition to having strong and unique passwords for every website, it is critical that you enable Two-Factor Authentication (2FA). Keeper supports several popular 2FA methods and we encourage the use of 2FA on all websites and applications, whenever possible.