So thanks to Supergirl Season 2 Episode 7 we’ve got a giant teachable moment on the security horror show of single factor authentication with biometrics. It’s not the shows best written episode, kinda crazy full of plot holes. To sum it up: season 2’s big bad kidnaps Supergirl, gets a hold of her blood, takes it up to the fortress of solitude, and voila – they’re in. No additional passcode or amulet. Not even a second biometric, like face recognition. Talk about crap security, Kryptonians. I mean really, I won’t even enable the thumbprint ID on my phone. Here is some lessons our alien hero’s maybe should have picked up by now.
- Biometrics are not private and they can be copied.
- In the US, biometrics are not protected by the 5th amendment the way passwords are.
- Biometrics are “non-revocable” in that if someone swipes your data and can spoof it, you can’t actually change your retina, voice or thumbprint easily.
- Biometrics will follow us from database to database, like phone, social security and credit card numbers to build a robust profile.
There are ways to mitigate some of the flaws (PDF warning, but excellent read) in biometrics, however none of them override the single truth, they should never ever ever be the only security being used. It’s just bad writing.