Beating biometrics: Why biometric authentication alone is not a panacea
As we witness the accelerating use of biometrics throughout our lives, we must pause to consider the risks and ramifications of doing so as technological advancements make it increasingly easy to mimic, manipulate and manufacture biometry. As the world becomes more reliant on biometric authentication, it’s vital that we understand how it’s being threatened, what happens when it’s compromised and what we can do to prevent a biometric dystopia.
Biometrics are under threat from a confluence of emerging technologies including artificial intelligence (AI), machine learning (ML), 3D printing, graphics, and advanced optics and sensors. These technologies threaten to undermine the very integrity of biometrics.
Fingerprint fraud
While our unique physical traits are inherent to each of us, the data that represents that biometry is not. That is, when one verifies their fingerprint, the unique patterns of physical ridges that constitute their fingerprint are digitally translated into data by a sensor, and that data can then be stored, shared and even modified. This creates an opportunity for exploitation.
In January 2017, researchers from Japan’s National Institute of Informatics were able to demonstrate that they could successfully extract fingerprints from photos of individuals using simple mid-level consumer digital cameras. Once this biometric data has been syphoned, synthetic copies of that fingerprint can easily be created with consumer-grade 3D resin printers.
Police in Michigan did just that in 2016, albeit with fingerprint data sourced from a police repository rather than extracted from a photo. Working with a local university, law enforcement was able to create a replica of a murder victim’s finger complete with fingerprint in order to unlock that victim’s phone to access potential evidence.
Facial fraud
Facial recognition is even more vulnerable to such attacks. From social networks to driver licenses to the security cameras used inside and outside of the places we shop, the biometry of our faces is readily available for the taking.
While rudimentary facial recognition can be defeated with a simple picture of the authorized individual, more modern systems that rely on a three-dimensional comparisons can be defeated with a 3D-printed head just as researchers successfully demonstrated in 2018 against certain Samsung, LG and OnePlus phones.
Think it’s infeasible or impractical to extract a 3D rendering of a target’s face from a 2D photo or video frame? Not only have advancements in machine learning and computer vision made this possible, but a startup launched just this year provides this very capability through an online service.
Vein authentication. In vain?
Since most veins under our skin aren’t externally visible, vein authentication has been touted as a better biometric alternative. In this approach, the unique placement and dimensions of the veins under an individual’s skin are used to identify them. However, just because veins aren’t visible to the human eye doesn’t mean they can’t be seen and remotely extracted.
Using an SLR camera with the infrared filter removed, German researchers last year remotely extracted the vein patterns from an individual’s hand from five meters away. They then used this data to create a wax model of the hand complete with synthetic veins to successfully trick a vein scanner. One of the researchers noted, “I was quite surprised that it was so easy!”
All of this is to say that there is no biometric authentication method immune from attempted spoofing. Whether by recreating physical analogs or supplying the biometric verification system with fraudulent biometric data, there will always be attempted exploits. Even if these exploits are not available or practical today, emerging technologies will inevitably change that.
Now that we’ve addressed how biometrics are being defeated today, in part two of our series we’ll tackle how to secure the future of biometry and avoid a biometric dystopia.