In the last decade we have seen how advances in biometric technologies have made it possible to identify individuals with their fingerprint, voice, iris or even brainwaves with very low failure rates.
I have no doubt that biometrics (something you are) will eventually replace passwords (something you know), which can be easily forgotten, guessed or deciphered with dictionary attacks. It is a fact, we are not good at choosing robust passwords and we reuse them all the time.
Unfortunately, it is not uncommon to hear from considered secure cloud services urging their users to change their passwords after a cyberattack. It is very annoying, but a new password should solve the problem.
But what if your biometric information is stolen? Most of cloud services protect it the same way they do with passwords, i.e., the information is encrypted and stored in their servers. If after a cyberattack your fingerprint is deciphered, it could be used in order to access any other online service, and you can't simply change your fingerprint. If it is stolen once, it is stolen forever.
So the next time you are required to sign in with biometrics, ask your self how will your information be processed and protected.
A way to tackle this problem is by using Zero Knowledge Proof protocol (ZKP), that eliminates the transmission, storage and exposure of private user data during authentication. This way, biometric information never leaves the device, it is never transmitted or stored, so it simply cannot be stolen if the server is compromised.
* Disclaimer: I am CTO of Sedicii, a leading company in user authentication solutions, which uses ZKP-based patented technologies.