Are Biometrics as a Form of Authentication Over-hyped and Unreliable?
When Apple introduced the Touch ID fingerprint access button, commentators believed it would kick-start the ever-promising, never-quite-delivering biometric market. But Touch ID was defeated by hackers within days. When Apple introduced the FaceID biometric, the same happened – it was defeated within weeks. In November 2017, F-Secure demonstrated that Android’s Trusted Face Smart Lock can be defeated by a selfie. Also in November, researchers at the University of Eastern Finland concluded that voice impersonators can fool speaker/voice recognition systems.
There is probably no physical biometric factor that has not been defeated by hackers or researchers. Which begs the question: are biometrics as a form of authentication over-hyped and unreliable? Can they possibly provide an alternative to the much denigrated password?
Biometrics in use
Large-scale use of biometric authentication is primarily tied to smartphones. The wide-range of sensors built into these handheld and ubiquitous devices make them an ideal tool for face and iris recognition (camera), voice (microphone), and touch (fingerprint). This authenticates the user to the device, allowing further authorized access to other devices via the phone (although this does not, in itself, confirm that it is the authenticated user still operating the phone).
Banks are increasingly using voice and face recognition via smartphones for mobile banking purposes. Barclays introduced phone-based voice authentication, and HSBC allowed selfie-based face authentication in 2016.
Biometrics are also used in stand-alone situations, where they can be used to access restricted buildings or rooms. For example, in December 2017, Los Angeles Airport started trialing facial biometrics to speed out-bound passenger flow. The passenger’s facial image is compared to the facial image captured during the immigration process to prove identity.
In such circumstances, biometrics are very popular; but we need to differentiate between consumer smartphone-based biometrics and corporate usage. Biometrics are not currently used widely within industry. The main reasons are cost, possible privacy issues, and because it cannot be guaranteed that every member of the workforce has a smartphone.
Biometric authentication has several distinct advantages over passwords. These include:
Ease of use – “Biometrics are incredibly popular with users,” explains Shane Young, president & CEO of inBay Technologies. “Inherent biological… features are convenient: they are part of who we are, always with us and in most cases, we don’t have to think too much to use them (unlike remembering a password).”
Numerous surveys have confirmed this. A July 2016 survey conducted by Visa said two-thirds of Europeans would welcome the use of biometrics in payments. An August 2017 survey by Unisys suggests that 68% of users would trust organizations more if they were to use biometric authentication; 63% believe it is more secure than PIN and password; and 57% believe fingerprints to be the most secure form of authentication.
Can’t be lost – Associated with ‘ease of use’ is the idea that, unlike passwords, biometrics can be neither lost nor forgotten because the user is the biometric. This is true, but needs two qualifications. Firstly, if the biometric device is a smartphone, then the phone itself can – and often is – lost or stolen. Secondly, like a password, it is the device that is authenticated at a point in time. Subsequent use of an authenticated device could be by anyone. In reality, the ‘cannot-be-lost’ argument offers little advantage for smartphone biometrics over passwords other than it is easier to forget a complex password than to lose a personal device, and it is easier to use than inputting a complex password.
Automatically unique – Biometrics are automatically unique to each user. This argument might not hold up against detailed scientific analysis – even fingerprints cannot be guaranteed to be 100% unique. Voices can be imitated and twins can have identical faces – but in general, the risk of such ‘collisions’ occurring naturally is very small.
Biometric authentication also has several weaknesses. These include:
Additional cost – A biometric solution cannot be implemented without incurring additional cost. “Anytime you require hardware, you incur additional cost – both monetary costs and costs in convenience (and therefore, cost to user adoption),” explains Ian Paterson, CEO of Plurilock. “Fingerprints require fingerprint readers, facial recognition requires special infrared cameras to work well, and retinal scans are even more cumbersome.”
Susceptibility to cloning or coercion – No biometric has yet proven itself to be proof against cloning. “Mainstream biometrics really means mobile devices, where – for the most part – they have only proven reliable enough at scale to be a convenience feature, used in parallel with the passcode as backup,” says security researcher and consultant, Stewart Twynham. “Even Tim Cook’s keynote announcement of Face ID came with the caveat that you should protect your data with a passcode if you have an ‘evil twin’.”
The implication is that biometrics are only as strong as the built-in biometrics found in the majority of contemporary smartphones – and these biometrics are routinely spoofed by researchers and hackers within days or weeks of their release.
“Whether a particular biometric method is useful or not depends on the sensor quality and ease of duplicating a particular biometric,” comments Jarno Niemela, lead researcher at F-Secure Labs. “For example fingerprints are a field where the attacker has significant advantage, since they are easy to copy and can be obtained from about anything that a person has been handling, or even from a photo.”
A related weakness in smartphone-based biometrics comes with the nature of smartphones – their mobility. This could allow a physical attacker to coerce the user into authenticating the device remotely. Since it is the device rather than the user of the device that is authenticated for mobile apps (whether they are banking apps or corporate access), a physical attacker such as a burglar could employ user-coercion (in crypto terms, aka ‘rubber-hose decryption’) to defeat biometric authentication.
Difficult to change – Despite the apparent strength of their apparent immutability, it is possible that biometric templates may need to be changed – but this is considerably more complex and costly than simply changing a password. There are two primary scenarios: theft of the biometric templates, and the aging of the user.
“Biometric data,” comments Carl Leonard, principal security analyst with Forcepoint, “is arguably more valuable than passwords since biometrics are, on the whole, immutable. The breach of the US Office of Personnel Management in 2015,” he adds, “included personal data of individuals including fingerprints.”
“The big problem with biometrics,” says Joseph Carson, chief security scientist at Thycotic, “is when they are compromised you cannot change them; it is like a hard-coded password which is a bad idea to use in today’s security world.”
The second scenario is an unknown quantity. Biometric characteristics actually do change over time. For example, fingerprints get worn through incessant use and/or injury, and voices change with age and illness. Where biometrics are already in use, their use is too recent to know whether this will prove a problem over time. Machine learning techniques could be used to adapt the template slowly with minute changes as they occur, but this simply adds more complexity and cost to the solution.
Privacy push-back – Despite consumer acceptance of smartphone-based biometrics, there is less overwhelming acceptance from corporate users. Many such users are unhappy about handing permanent personal data to what might prove to be a temporary employer. Such personal and perhaps conflicting attitudes to the private nature of biometrics are reflected in some contemporary legal concerns.
For example, comments Darren Abernethy, senior global privacy manager at TrustArc, “Some laws, such as the EU’s rapidly approaching General Data Protection Regulation (GDPR, which takes effect May 25, 2018), treat newly defined ‘biometric data’ as in essence sensitive personal information (SPI). The mandatory use of biometric data for authentication purposes creates the ironic situation where an individual must offer sensitive information – and likely separately provide explicit consent for its processing – in order to access a particular piece of hardware/software that itself may not otherwise contain SPI.”
This even tips over into constitutional issues. “There is a relevant Constitutional Fifth Amendment consideration with biometric data as well,” adds Abernethy; “namely, that whereas the government forcing an individual to reveal a traditional text-based password would amount to impermissible compelled testimonial self-incrimination, the same is not true with respect to a fingerprint.” In law enforcement scenarios, biometric authentication of smartphones is less secure than ‘forgettable’ passwords, since the user can be compelled to unlock the phone with biometrics; but not with a password.
For at least a decade, each new year has started with predictions that this will be the year in which biometrics takes over authentication. It hasn’t happened yet. Nevertheless, the obvious advantages of biometrics remain compelling. The predictions continue; but have become more tempered.
“In 2018,” TrustArc’s Abernethy told SecurityWeek, “we’ll see less emphasis on traditional passwords and more on ways to achieve security via 2-factor authentication techniques involving biometric solutions like voice recognition, facial scans and fingerprints. For security vendors, the storage and record-keeping stakes are higher to protect biometric data because contrary to a credit card number that can be discontinued, you can’t replace a person’s facial structure with a new one once a facial scan is compromised.”
The biggest advantage is that biometrics reduce user ‘friction’; that is, the amount of effort required to properly authenticate yourself before using a system. The greater the friction, the greater the likelihood that the user will try to circumvent the controls that inhibit easy working. Biometrics do not eliminate friction, but they drastically reduce it.
The biggest disadvantages include cost, complexity, and a lack of clear proof that biometrics cannot be circumvented or defeated. More sophisticated biometric sensor devices can improve their reliability, but that will always come with a cost. “Next improvement in fingerprint scanning,” comments F-Secure’s Niemela, “will be sensors that are capable of also identifying the blood vessels in fingers, in which case just duplicating a visible print will not be enough.”
A 3D facial recognition system with infrared scanning would also improve facial scans. “With infrared cameras,” he adds, “cold objects (such as a photo image) will not show at all, or at least not correctly; and even a mask will very likely present a distorted thermal image.”
The improving technology of biometric scanners can be seen in Microsoft’s Windows Hello facial recognition system. In December 2017, researchers demonstrated that specially printed face images could defeat Microsoft’s ‘near infrared’ imaging in Windows 10 versions 1511 and 1607 – but not in the latest 1703 and 1709 versions.
Nevertheless, the continuing discussion over whether biometrics provide an adequate alternative, or addition, to passwords to solve the authentication problem ignores one underlying issue. Regardless of whether authentication is by either or both methods, it is a point-in-time authentication. Neither can ensure that the current user is the originally authenticated user. Current thinking is that this can be best solved by continuous and passive biometric behavioral user monitoring – which, notes Plurilock’s Paterson – has the additional advantage of not requiring any extra hardware.
Behavioral biometrics aggregates a potentially wide-range of features that can be gathered passively from each individual user. Some of these have been used by security officers for many years. For example, if the IP address of a local employee suddenly switches to Russia or China, the system can be fairly certain that it is not the legitimate user, and can block further access.
New behavioral biometric applications are adding additional options, such as the user’s keyboard cadence and mouse gestures. How many different ‘biometrics’ are included in such authentication can be tailored to the system being accessed: particularly sensitive areas of the environment can require additional continuous authentication.
It is a new approach that is yet to be proven over time or at scale – but it promises much. If the user is continuously monitored, it reduces the reliance on the initial authentication. This cannot be eliminated, but could be designed to reduce user friction on access. Less strong passwords or more basic fingerprint or face scanners could be used, with the knowledge that any intruder will be immediately recognized by the behavioral biometrics.
It is possible that we are entering a new debate before the old one is settled. It could be that the debate will become one of whether passwords or static biometrics should be paired with continuous behavioral biometrics.
The argument is similar to whether perimeter defenses should be replaced by incident response defenses. In this analogy, static passwords or biometrics are akin to perimeter defenses (anti-virus and firewalls); while behavioral monitoring is akin to network anomaly detection. The answer is the same in each case: you need both defenses, and you need both methods of authentication to remain secure.
“The premise of [static] biometric authentication is a powerful and effective security measure,” summarizes James Romer, EMEA chief security architect at SecureAuth. “But It is important to remember that authentication via facial recognition is not new and that no security measure is a silver bullet. No single authentication technique is beyond the reach of cyber criminals. Devices will be hacked and sensors will be tricked. It is important to layer such technology with adaptive authentication methods, such as IP reputation, ph
one number fraud prevention capabilities or behavioral biometrics. Effective security depends on layers.”
The bottom-line is that authentication is a risk valuation. Individual security officers need to balance the increased friction and cost of multiple layers of authentication, including passwords and/or biometrics and ongoing behavioral biometrics, to the risk involved to their own data in their own environment. What might be the right solution for one organization or environment might be the wrong solution for another.