Starting January 2017, Singapore’s government will begin collecting iris images from citizens and permanent residents when they register or re-register for a new National Identity Registration Card or passport, according to the Ministry of Home Affairs.
The change was announced as part of amendments to the National Registration Act, which passed in Parliament in November but will go into effect in January. The iris images will be used as a complementary verification method to photographs and fingerprints.
Government Adoption Of Biometrics
Over the past few years, governments around the world have started warming up to the idea of collecting their citizens’ biometric identities. This includes fingerprints, which are already required for passports in many countries, or more recently iris scans, now required in both India and Singapore.
Some governments, such as the U.S. government, have even started collecting some citizens’ biometrics in secret or by requiring the collection of biometric identities when applying to various federal services. So far, governments seem much more interested in using biometrics as identification for citizens than in enabling citizens to authenticate to various services with their fingerprints or iris profiles.
Biometrics: Password Or Username?
Ever since Apple launched its TouchID fingerprint-based authentication system as an alternative to passwords and PINs, there has been a debate about whether fingerprints are even appropriate as password replacements, or whether they are more like usernames.
Governments seem to have made up their minds and are starting to treat biometrics as some sort of permanent, unique usernames that can be collected from all citizens, so they can more easily identify everyone. This could be useful for solving crimes faster or for cutting bureaucracy for various government services, but it can also be argued that it’s an encroachment on citizens’ right to privacy.
In parallel, mobile companies have started implementing biometrics as passwords. Password or password-like systems need to allow users to change their codes in case they are stolen. We’re already seeing what a bad idea password reuse is with every major data breach.
Now imagine that everyone has one or two of these passwords for life, and they can never be changed. This sounds like a terrible idea from a cyber security point of view, yet this seems to be the situation in which we are right now with biometrics.
While we get to use biometric identities as passwords in day-to-day life, governments have begun collecting these biometric profiles in centralized and hackable databases. Keeping everyone’s unique biometric IDs in centralized databases that can be hacked have already proven to be a bad idea, even if biometrics weren’t used to authenticate to mobile payments or other sensitive services. Using these hackable biometric IDs as passwords as well just multiplies the risk and potential damage.
The End Of Biometrics As “Password Replacements”?
If everyone decides that it’s okay for governments to require our biometric profiles because of the benefits that this entails, then we need to at least stop using them as password replacements. This may be easier said than done, because there’s already significant inertia in the technology industry to use fingerprints and other biometrics as password replacements. The banking industry is also now starting to deploy biometrics as authentication mechanisms, although some services will also require PINs or other verification methods.
We now have governments and the tech and banking industries pushing biometrics in two different and incompatible directions that will eventually make our security even worse than it is now with all the password re-use. It’s not clear how this story will end, but chances are governments may be on the right side of history here, as biometrics make more sense as usernames than they do as passwords. Therefore, the technology industry may eventually have to come up with yet another easy-to-use alternative to passwords, as more data breaches of fingerprint and iris scans data breaches occur.