cyberphilosophy

Biometric Identity and the Irreversible Self: A Dialectical Reflection on Security in the Digital Age

In an age where unlocking your phone with your face feels as natural as blinking, biometric security has become a symbol of technological progress. It promises convenience, speed, and a seamless connection between our physical selves and our digital lives. But beneath this sleek surface lies a deeper, more troubling question: what happens when your identity becomes a password you can’t change?

This post explores that question through a philosophical lens—drawing on the dialectical method of Karl Marx, the ethical insights of contemporary thinkers, and a growing unease about the direction we’re heading.

Thesis: Biometrics as Technological Progress

The dominant narrative is clear: biometrics are the future. Fingerprints, irises, and facial recognition are marketed as secure, efficient, and uniquely personal. They eliminate the need to remember passwords or carry tokens. They’re fast, frictionless, and supposedly foolproof.

From a technological standpoint, this is the thesis—a belief in progress through innovation. It reflects a broader ideology that sees technology as neutral and inherently beneficial, a tool that simply needs to be refined and deployed.

But as Marx would remind us, every system contains the seeds of its own contradiction.

Antithesis: The Irreversible Identity Trap

Here’s the contradiction: biometric data is permanent. You can’t change your fingerprint. You can’t reset your face. If someone steals your biometric template—whether through a data breach, a spoofing attack, or a compromised sensor—you can’t undo the damage. You are now your own vulnerability.

This creates a profound asymmetry. While passwords and tokens can be revoked, biometric data is non-revocable. And in a world of increasing cyber threats, that’s not just a technical flaw—it’s a philosophical one.

It undermines a core principle of justice: the ability to deny, contest, or revoke. If your biometric identity is used in a fraudulent transaction, how do you prove it wasn’t you? The system assumes your body is your consent.

This is what Marx might call alienation—not from labor, but from identity. You become estranged from your own self, which is now digitized, stored, and controlled by systems you don’t own and can’t fully understand.

Synthesis: Toward a Just and Reversible Identity System

A dialectical approach doesn’t stop at critique. It seeks a synthesis—a new way forward that resolves the contradiction.

This might mean rethinking identity systems altogether. Instead of relying solely on biometrics, we could rethink security and design multi-factor systems without Biometrics.

We’re often told that the future of security lies in our fingerprints, faces, and irises. But what if you’re not comfortable handing over your body to a database? What if you believe, like many do, that security should be flexible, revocable, and under your control?

Good news: you don’t need biometrics to stay secure. There are plenty of strong, privacy-respecting ways to protect your digital identity. Let’s explore some biometric-free multi-factor authentication (MFA) options that are just as effective—if not more so.

Password + Hardware Token

  • What you know: A strong password or passphrase.
  • What you have: A physical security key (like a YubiKey or smart card).
  • Why it works: Even if someone steals your password, they still need your physical key to log in.

Passphrase + Authenticator App

  • What you know: A memorable, complex passphrase.
  • What you have: A time-based code from an app like Aegis, Authy, or FreeOTP.
  • Why it works: The code changes every 30 seconds and is stored locally on your device—not in the cloud.

Email Link + Trusted Device

  • What you know: Access to your secure email account.
  • What you have: A device with a digital certificate or trusted browser.
  • Why it works: Only your trusted device can complete the login, even if someone clicks the email link.

Encrypted QR Code + PIN

  • What you have: A QR code stored securely (on a USB stick or offline phone).
  • What you know: A PIN to unlock or decrypt the code.
  • Why it works: The QR code acts like a rotating key, and the PIN adds a second layer of protection.

One-Time Pad + Lookup Rule

  • What you have: A printed or digital list of one-time codes.
  • What you know: A secret rule for choosing which code to use.
  • Why it works: Even if someone finds the list, they can’t use it without knowing your personal rule.

Dice Password + Second Factor

  • What you know: A high-entropy passphrase generated using the Diceware method (e.g., “correct horse battery staple”)
  • What you have: A second factor like a hardware token or authenticator app
  • Why it works: Dice passwords are both strong and memorable. When paired with a second factor, they offer robust protection without relying on biometrics or centralized systems.

Aanvullende opties

7. Passkeys (zonder biometrie)
  • Wat je hebt: Een cryptografische sleutel opgeslagen op je apparaat of in een beveiligde kluis.
  • Waarom het werkt: De sleutel is uniek per website en wordt nooit gedeeld. Je kunt authenticeren met een pincode of wachtwoord.
  • Voordeel: Geen wachtwoorden nodig, phishing-resistent, en biometrievrij.
8. Smartcard + PIN
  • Wat je hebt: Een fysieke smartcard (zoals een eID of bedrijfspas).
  • Wat je weet: Een pincode om de kaart te activeren.
  • Waarom het werkt: De kaart bevat een private key die nooit het apparaat verlaat. Veel gebruikt in professionele omgevingen.
9. Offline TOTP-generator (air-gapped)
  • Wat je hebt: Een volledig offline apparaat (zoals een oude smartphone zonder netwerkverbinding) met een TOTP-app.
  • Wat je weet: Een geheime seed of pincode om de app te openen.
  • Waarom het werkt: Geen cloud, geen synchronisatie, geen biometrie—alleen lokale tijdgebaseerde codes.
10. Paper Backup Codes + Secret Salt
  • Wat je hebt: Een lijst met eenmalige codes op papier.
  • Wat je weet: Een geheime “salt” of patroon dat je toepast op de code (bijv. +3 bij laatste cijfer).
  • Waarom het werkt: Zelfs als iemand je lijst vindt, kunnen ze de codes niet gebruiken zonder jouw geheime bewerking.

Contemporary Philosophers and a Tech Guru on the Ethics of Biometric Identity

Contemporary philosophers are increasingly engaging with the ethical and political implications of biometric technologies—especially as they become embedded in everyday life.

Robert A. Whitelaw, in his Rawlsian analysis of biometric policy, applies the concept of the “veil of ignorance” from A Theory of Justice by John Rawls. He argues that just systems must be designed as if we didn’t know our future position in society. This thought experiment forces us to consider whether we would still support a system if we might one day be among the most vulnerable.

Whitelaw asks:

“Would you still support a system that stores your face forever if you knew it might one day be used against you?”
His critique highlights how biometric systems often fail to meet Rawls’ principles of fairness and equal liberty, especially when they are implemented without mechanisms for revocation or contestation.

Sasha Shilina, in her essay In the Eyes of Technology (2024), explores the philosophical and cultural dimensions of biometric identity. She challenges the idea that technology is neutral, writing:

“Technology is never neutral—it encodes values, desires, and power structures.”
Drawing on thinkers like Heidegger, she argues that biometric systems reflect deeper assumptions about identity, control, and surveillance. Shilina emphasizes that these systems are not just technical tools, but cultural artifacts that shape how we understand ourselves and others.

Bruce Schneier on Biometrics: “A Critical View”. In various writings, Schneier has consistently warned that biometrics are not secrets—and therefore, they should not be treated like passwords.

“You can’t revoke your fingerprint. You can’t get a new retina. Once someone has your biometric, they can use it to impersonate you forever.” 

He argues that while biometrics are useful for identification, they are dangerous when used for authentication—especially in systems where the biometric data is stored centrally and can be stolen or misused.

Schneier also touches on the power imbalance created by biometric systems. When governments or corporations collect and control biometric data, individuals lose the ability to opt out, revoke, or contest their identity. This creates a system where:

  • The user is permanently exposed
  • While The institution gains long-term control over a person’s access, movement, and even legal status.

This echoes my concern about irreversible identity traps and aligns with critiques from philosophers like Sasha Shilina, Robert Whitelaw and Bruce Schneider.

A growing number of scholars are raising metaphysical concerns as well: if identity is reduced to a hash, a vector, or a digital signature, what happens to the richness of personhood? Are we becoming mere data points in a surveillance economy? These questions echo the concerns of philosophers like David Lyon and Shoshana Zuboff, who warn that the commodification of identity risks eroding the very notion of the self.

Security That Evolves With Us

My concern—that biometric systems are dangerously inflexible—is not just valid, it’s urgent. In a world of evolving threats, we need security systems that can evolve too. Systems that allow for change, for contestation, for human error and human dignity.

Biometrics may be part of the solution, but they cannot be the whole. A just digital identity system must be reversible, transparent, and accountable. It must reflect not just what we are, but who we are—and who we might become.

Because in the end, the most secure system is one that respects our ability to change.

More radically, we could move toward self-sovereign identity systems, where individuals control their own credentials and can revoke or update them as needed. These systems would be decentralized, transparent, and accountable—designed not just for efficiency, but for justice.

When we dive deeper into Self-Sovereign Identity (SSI) and explore how it works, why it matters, and where it’s already being used to democratize digital identity.

What Is Self-Sovereign Identity?

Self-Sovereign Identity (SSI) is a model of digital identity that puts you—the individual—in full control of your credentials. Unlike traditional systems where your identity is managed by governments, corporations, or platforms like Google or Facebook, SSI allows you to own, manage, and share your identity on your terms.

Core Principles of SSI:

  • Decentralization: No single authority controls your identity. Instead, it’s distributed across a blockchain or similar technology.
  • Verifiable Credentials: You receive cryptographically signed credentials (e.g., diplomas, licenses) that can be independently verified without contacting the issuer.
  • Selective Disclosure: You can choose what information to share, and with whom—no more handing over your full ID just to prove your age.
  • Revocability: You can revoke or update credentials if they’re compromised or outdated.
  • Privacy by Design: Your data isn’t stored in a central database, reducing the risk of mass breaches.

Why It Matters

SSI addresses many of the concerns you’ve raised:

  • No biometrics required: You don’t need to tie your identity to your body.
  • No irreversible exposure: Credentials can be revoked or rotated.
  • No surveillance-by-default: You control what’s shared, and nothing is tracked without your consent.
  • No power asymmetry: You’re not dependent on a central authority to prove who you are

Guiding Principles for Biometric-Free Security

When designing or choosing an MFA system without biometrics, keep these values in mind:

  • Revocability: You can change or replace your credentials if needed.
  • Portability: You can take your security with you across devices and platforms.
  • Anonymity: You don’t need to tie your identity to your body.
  • Control: You decide when and how to authenticate

Real-World Examples

Here are truly open-source, community-driven alternatives that better align with the democratic and decentralized spirit of SSI:

Keycloak
  • An open-source identity and access management solution developed by Red Hat.
  • Fully self-hostable, supports federated identity, and integrates with decentralized identity protocols.
  • Ideal for: Organizations and developers who want full control over their identity infrastructure.
authentik
  • A privacy-focused, open-source identity provider built for flexibility and transparency.
  • Designed to be self-hosted, with support for modern authentication standards like OAuth2, SAML, and WebAuthn.
  • Ideal for: Privacy-conscious communities and institutions seeking alternatives to corporate ID systems.
Sovrin Network
  • A global public utility for SSI, built on Hyperledger Indy.
  • Community-governed, open-source, and designed specifically for decentralized identity.
  • Ideal for: Governments, NGOs, and individuals seeking a truly decentralized identity ecosystem.
Dock.io
  • A blockchain-based platform for issuing and verifying verifiable credentials.
  • Open-source SDKs and tools for building decentralized identity apps.
  • Ideal for: Developers and institutions building credential systems with user control at the core

Sorry, but we just cannot include Microsoft—a large, centralized tech corporation—in a conversation about self-sovereign identity (SSI). While Microsoft Entra Verified ID uses some SSI principles, it still operates within a corporate-controlled infrastructure, which can conflict with the core values of decentralization, user autonomy, and privacy.

True SSI is about empowering individuals, not just improving efficiency or compliance for enterprises.

Finally

As we navigate the digital age, the question of identity is no longer just philosophical—it’s deeply practical, political, and personal. The tools we choose to secure ourselves shape not only our privacy, but our autonomy, our dignity, and our place in society. Rejecting biometrics isn’t about rejecting technology—it’s about demanding systems that respect our right to change, to revoke, and to remain in control. In a world where identity is increasingly digitized, the most radical act may be to insist that it still belongs to us.

Posted

in

by

someone

Tags: