France's Call For EU-Wide Fingerprint Database Prompts Rethink Of 'Fingerprints As Passwords'

France called for the EU to adopt measures in the "Smart Borders" legislative package that would require everyone who travels through the EU (including EU nationals) to give their fingerprints, and potentially other biometric data such as facial or iris data, to authorities to be used for identification.

When the EU Commission first proposed this measure in the Smart Borders package in 2013, it was referring only to those who come into the EU, but now the French authorities want the package to cover everyone in the EU who wants to travel cross-borders, inside and out of the EU.

The measure is pushed as being necessary to see who is overstaying their welcome (which shouldn't be a problem for EU citizens anyway, as they can usually stay as much as they like within another EU country), but also as protection against terrorist threats, migratory pressure, and greater passenger numbers. For that last item, the system is meant to make border checking quicker so more travelers can pass through faster.

The lawmakers behind this measure say they have builtin safeguards to protect the data, but right now we don't know what that means exactly. Plus, the data would likely not be stored in a single EU-controlled place, but in multiple countries, exponentially expanding the danger of having those fingerprints stolen with every new place in which that database would be stored or from where it could be accessed.

As we recently saw with the OPM hack in the U.S., governments are often the easiest targets, and keeping fingerprints and other biometric data in centralized databases that governments can then also share with each other just makes that database even more appealing to cybercriminals.

Fingerprints or other types of biometric authentication certainly makes everyone's lives much easier, and for the time being, everyone's data is much better protected as well, compared to using a weak password or none at all on their devices.

However, if governments keep asking for this relatively unique data (only 10 fingerprints, only two irises, etc.), then we'll ultimately have to accept the fact that biometric data is more like a username than a password. At that point, we'll need to only use fingerprints as a username in combination with a passphrase or some other "second factor" that's easier to use than passwords.

It would be bad enough if fingerprints are leaked in a government data breach, when people would use them as usernames, but if they are used as passwords, that would be much worse, because then the hackers could be able to log into everything you've authenticated with your fingerprint as a password replacement, from devices to web services.

Therefore, if governments keep asking for biometric data to identify its citizens, then platform owners such as Google, Apple and Microsoft, as well as other security experts, will need to start coming up with easy-to-use alternative solutions to the fingerprint-as-password problem.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • spentshells
    I suppose if this goes through I will never make it to France to visit the places my family is from.
  • InvalidError
    Once your biometrics leak, they become nearly worthless for data or access protection and you cannot change them.

    If recording biometrics gets institutionalized by governments, I would consider them inherently flawed for anything beyond complementary ID.
  • house70
    Biometrics are already being collected in the US (just think of the scan and pic taken when entering the country at any airport). Most people here tend to ignore that, out of convenience and the false security given by the "I don't do anything bad, so why should I care" sentiment. I would NEVER rely upon biometrics for anything even remotely secure. For my smartphone, a PIN/password/pattern lock are enough, and that can be changed at a whim. Good luck changing your fingerprints (or iris scan, for more advanced tech) once it's leaked.
  • alidan
    i dont want biometrics as a password or username because god knows that's what i want cut off or out if a criminal thinks they can get a pay day.
  • Achoo22
    If some threat has physical access to your devices (including your biometric scanners) then you have already lost the battle for security. Besides, almost any computer that's actually useful already has a ton of much easier attack vectors. I'm all for better computers security, but this issue isn't anywhere near the top of the threat list.
  • Maarsch
    This has been happening at a bunch of different places in the world already, correct? I mean the US stores those when they scan em, right? I'm assuming the same for Japan.

    So yeah, sooner or later that data will be available. These things just get hacked/leaked/whatever.

    Username, I can see that.
    Password, no.

    Tom's Biometricsware has just discovered our forums were compromised by a hacker. We're sorry to report this may have led to unauthorized access to your username, password, biometrics and the time of your last meal.

    Please re-set your password and get a fresh set of fingerprints at your local forensic surgeon.
  • gggplaya
    Thank god i live in america, this is a bit of government overreach. Facial recognition should be enough. Swipe your drivers license, your face pops up and some dude just makes sure it's you.
  • Dave K
    Hmm... I suppose I'd be willing to give Europe my middle finger for authentication, but if they expect to get a retina scan just so I can spend money touristing around their countries they're going to get my middle finger instead.