We’ve all been told that passwords are not safe. After the Equifax breach, neither are our Social Security numbers, so what is left for criminals to take? Our fingerprints, facial recognition and iris scans–biometrics. Cutting-edge technology companies have relied on biometrics to beat out the password and SSN issues for authentication. So, is it possible that biometrics are the next heist for cyber-criminals?

Harry Sverdlove, former CTO of Carbon Black and CTO of Edgewise Networks, says it is. No one thought that 143 million SSNs would be exposed, and now they have – so why can’t biometrics be stolen as well?

For years, criminals have taken our passwords and our credit card numbers, but at least those pieces of information can be changed. Now, you can assume they also have your Social Security number, which cannot be changed. None of these items have any value in and of themselves; criminals are after what those things unlock. If passwords and credit cards are the keys to your house, social security numbers are the master key. For every new method of identification, according to Sverdlove, consider how easily it can be stolen or reproduced, how easily it can be used if stolen and how easily it can be replaced or changed.

“Biometrics do well for two out of three of those,” he said. “They are harder to steal than simple passwords or numbers and, currently, they are hard to use at any large scale, but they are also nearly impossible to change. You cannot simply change your fingerprints or your face.”

While biometrics sounds very fancy, at the end of the day, those fingerprints, facial scans and iris patterns boil down to zeros and ones. It’s basically a long password stored on some computer. When you place your hand on the scanner, a computer converts your fingerprint into this complex password and compares it against whatever pattern it has on file for you. That stored pattern is what criminals will target. In some cases, like facial recognition, your password is already on the Internet for the world to see. The various pictures of you on social media can be combined to create three-dimensional models of your face.

Today, the most common use of fingerprints and facial scans are smartphones which store this information on the device itself. A criminal would have to gain access to your smartphone, requiring physical proximity, and even if they were able to steal that information, they would only have access to one person. It’s not a cost-effective process for a criminal who is motivated by profit.

But what happens when biometrics are used by a central authentication service or the government? And what happens if they store this information in a single database with poor security? “If that seems implausible, consider that 143 million social security numbers, along with lots of other personally identifying information, were stored improperly by a single clearinghouse,” said Sverdlove. “Why would a criminal target a million individual smartphones when there is a database sitting somewhere just asking to be compromised. It is not only plausible, it is inevitable.”

There is interesting work happening in the field of implants, like RFID chips which can be embedded in the skin. While this sounds kind of creepy, consider that an RFID chip is no less creepy than a fingerprint or DNA scan–except it has one big advantage: It can be replaced if stolen or duplicated. The problem is not with biometrics or chips; it is with how and where the digital patterns are stored. Therefore, multi-factor authentication is the most effective thing we can do to protect our identity.

For example, something you know (e.g., a password or PIN), coupled with something you are (e.g., a biometric scan) or something you have (e.g., a smartphone or an RFID chip). This means a criminal would have to steal two very different types of information to steal your identity. That is difficult to do at scale–if the authentication service does not store both pieces of information together in some unprotected database. If at least one of those factors is constantly changing, like a rotating PIN number or a text-message code or a geo-location, that is the ideal situation because it cannot be stolen from a central database.

“The most common mistake companies make regarding authentication is thinking that multi-factor authentication simply means multiple questions,” he explained. “For example, knowledge-based authentication, where you are asked a series of personal questions in addition to your password or Social Security number, is not secure. It doesn’t matter how many questions they ask, it is still one factor–something you know. More importantly, pretty much every answer to personal questions can be found on the Internet, in social media posts and public records.”

Snail mail may not be the quickest solution in a digital world of immediacy, but if this is something sensitive, like opening a bank account or credit line, then snail mail it is more secure. It is multi-factor authentication because it first requires something you know like a Social Security number, and then someplace you live. We already assume the criminal has the first piece of information. They would have to physically go to your house or intercept your mail to get the second piece of information.

“Whether sending a message to an email account, or texting a code to a cell phone, or sending a letter to a mailing address, the key is not asking the person to provide that address or phone number because you must assume that person is a potential criminal,” explained Sverdlove. “Email accounts are the easiest to compromise; cell phones are harder but can be spoofed; and taking over someone’s physical home is the hardest. So yes, for some activities, we should go retro and embrace snail mail.”

The same anonymity we love about the Internet is what makes identification and authentication so difficult. Information is easy to steal, and even easier to fake, so relying on information–like passwords and numbers–to authenticate a person is losing proposition.

He said, “The other thing we love about the Internet is convenience. No one wants to remember long passwords, wait weeks, or jump through hoops to access services. Text messages, biometrics and RFID chips are all ways to provide more complex passwords or multi-factor authentication with minimal impact on convenience. If these methods become too cumbersome or unreliable, people simply won’t use them.”

Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more.