In this ever-modernising age, using biometrics to authenticate identity is becoming increasingly popular. The biometric market contains numerous technologies, some of which have been integrated into devices for some time. These include; fingerprint analysis and behavioural biometrics such as; keystroke dynamics and voice recognition. These technologies have existed in phones since 2007 through well-known applications and functions including; Siri (Apples Virtual Assistant released in 2011), Android 1.6 (its subsequent introduction of keystroke dynamics in 2009) and Toshiba G500 (the beginning of smartphone authentication through fingerprint scanning).
Recently however, facial recognition has seen an increase in its applicable trend in smart devices, such as the iPhone X, Microsoft Surface and for the past three years Android devices (85% of the global market) have supported this physical biometric to identify user access to partnered smartphones. Consequently, over this timespan issues associated with facial recognition have become identified and subsequently, a proportion have been rectified. Yet, some individual authentication disadvantages have remained insurmountable. Whilst biometric technology has many environments where it is applied this discussion document is focused on consumer grade authentication.
Several applications successfully use biometrics where all the conditions are controlled. However, there are many unresolved challenges in making biometric use universal and secure for authentication of an individual’s digital identity. This paper looks at a number of those issues.
Biometric authentication methods encompassing facial recognition, fingerprint analysis and other biometric identifiers suffer these fundamental flaws:
Once a biometric is captured at a certain point, it can be reproduced indefinitely. Current crop facial recognition and fingerprint analysis can be bypassed with little effort.
Once a biometric has become compromised, it cannot simply be reset, unlike passwords/ PIN’s.
Privacy and ethical constraints.
The surrounding environment and usage overtime can affect measurements.
Current biometric systems are not 100% accurate.
Many biometric systems require integration /additional hardware.
Once a biometric is captured, it can be reproduced indefinitely. Current biometric authentications can be bypassed with little effort
Specialists promoting biometrics will always point to the positive developments in the technology. However, as security solutions become more sophisticated, the experts seem to leave out that attack methods and hardware consequently discover and develop contemporary techniques of infiltration. “For example, realising that fingerprint scans offered insufficient protection, Barclays, in 2015, progressed from using normal fingerprint scans to adopting technology that scans for the veins in users’ fingers. Despite this innovation, Swiss researchers beat the system using image-processing techniques in the same year.” (Bergsman, 2016)
A stolen biometric has far greater repercussions for users than a stolen password. A biometric reveals a part of the user’s identity that is intensely personal and could be used to falsify travel, criminal records and legal documents, let alone how biometrics are fundamentally permanent.
In a well-recognized U.S. Government breach, fingerprints of 5.6 million individuals and Social Security numbers of 21.5 million individuals were compromised. In response, an intra-agency group was created to investigate the possibility of resulting payment fraud and creation of fake identities. Although Federal experts have stated that the ability to misuse fingerprint data is limited in this event, its probability will undoubtedly grow for breaches in the future.
Another more recent breach saw the biometric authentication data of more than 1 million people compromised including UK Metropolitan police, defence contractors and bank employees. (The Guardian, 2019). The system flaw enabled an infiltrator to view the real time authentication of users as well as change data and add new users. “It’s very common. There’s literally millions of open systems, and going through them is a very tedious process,” said Noam Rotem an Israeli security researcher.
Bypassing facial recognition
Facial recognition is the second most installed biometric security in the market today, subsequent only to fingerprint analysis. Three categories of attacks formulate the bases for facial recognition breaches; impersonation through photography, video impersonation and a 3D facial impersonation of the victim’s face, for example a hyper-realistic mask.
The fundamental issues that arise are largely due to hardware and environmental issues such as; whether the system utilises visible light or another method of recognition, the number of active sensors, resolution and lighting to name a few. “Most of the state-of-the-art facial biometric systems are vulnerable to simple attacks that a regular person would detect easily” (Hernandez-Ortega, Fierrez, Morales, Galbally, & Marcel, 2019) and can be effectively achieved at a low cost as high resolution cameras are readily available and are historically cheap.
This extremely cheap and simply accessed method of infiltration is performed by either printing out a copy of the victims face or through presentation of a high-resolution photograph on devices such as smartphones, tablets or laptops.
Since the introduction of social media applications, it has become tenfold times easier to circumvent simple facial recognition technology. There are however countermeasures that perform well against such attacks, yet, in some cases this is not a ‘stock’ option and needs to become integrated into the product.
Video (Replay) Attacks
Correspondingly, video attacks reap the same availability benefit from the global increasing use of video sharing applications and social networks. Unlike its predecessor, videos provide an increased success rate through the liveness it supplements to its visual. Additionally, once the visual has been copied, its obtainability (due to our modernising society) is vastly complemented by the global use of smartphones (now approaching 50% of the global population). More specific countermeasures are required to apprehend replay attacks and as expected, often these need to be installed at an extra expense.
Through 3D construction of an individual’s face the attacker by-and-large has full access to the victim’s facial identification. Whilst being the most successful method, mask attacks are also the most expensive and difficult to access in comparison to photographic and replay attacks. This said, 3D facial recognition scanners can be circumvented simply by printing a 2D photo, attaching it to a deformable structure and wearing it as a mask. Whilst this isn’t as successful, especially when utilised on sophisticated identifiers it fundamentally undermines the security of an extremely advanced and to some extent costly form of authentication.
However, even sophisticated 3D facial scanners are deceivable, although, at a far greater damage to the pocket. 3D printers enable attackers to create a reconstruction of the individuals face with two photos of the face (frontal & profile). Although this method is unlikely to charlatan the highest calibre of scanners it has been proven effective in most standard recognition systems. Yet, as technology advances, circumvention techniques correlate. At an exorbitant cost, a new generation of 3D acquisition sensors have been developed allowing attackers to create a flawless copy of a targets facial ID and breach even the most sophisticated scanners. (Hernandez-Ortega, Fierrez, Morales, Galbally, & Marcel, 2019)
Although a lot of work has been invested into integrating and developing facial recognition it is ultimately an insecure method of authentication, even the manufacturer disclaimers it states that “face recognition is less secure than pattern, PIN or password.”
Once a biometric has become compromised, it cannot simply be reset, unlike passwords/ PIN’s
A biometric cannot be tossed away and replaced like a password or a credit card number. Rather, it is permanently associated with a user. Recent experimentation with biometric template techniques like salting and one-way encryption reduce the collateral damage. But just as with passwords that are reused across sites, there will always be a poorly designed system that can result in a leak of biometric credentials, ruining them for all other systems.
Despite advancements in security controls, one’s identity, which is invaluable and irreplaceable, will always be at risk. Systems such as these cannot be reset once compromised, they can be updated and improved upon, but there is no mechanism to change your face as simply as you could change a password or PIN. This gives another point of identification that could become valuable to fraudsters, if wide adoption of facial recognition occurs it is likely that a black market for wide spread face data will emerge, just as there is for addresses, date of births and your mother’s maiden name, thus, simplifying third tier mask attacks.
Privacy and ethical constraints
Biometric methods are not for all consumers, whilst mobile devices such as smart phones will likely continue to integrate this technology for customer convenience, it is unlikely that enterprises will follow this path as they continually understand the need for 4th level (maximum security) authentication to shield companies from the increasing cyber threat.
Biometric systems invade user privacy as the measurements produced are in fact highly sensitive personal data which is, in many cases stored and re-used. Furthermore, this information is often available for disclosure for example; by the Australian Government to other Governments (including U.S. immigration and security agencies). (Australian Policy Foundation, 2019)
Whilst a growing trend in the use of biometric data may not directly concern the users of today and the new generation that has developed amongst intricate biometric developments, current and future integration of this technology to protect increasingly sensitive data is looking increasingly likely to see a wave of citizen regret. As databanks of a relatively permanent identifier multiply the consequential risk of credential loss and/or misuse exponentially increases. Biometric readings are already mandatory for some airport customs in efforts to ensure that the user is who they claim to be upon presentation of a passport document, however, as international travel sees a predicted increase of 35% over the next decade numerous unavoidable databanks of biometrics are likely to become formed. Furthermore, an article in the Traveller discusses the contemporary uses for biometrics such as how “Hertz has already launched biometric kiosk’s” and how “hotels are trialling the technology too” (Groundwater, 2019) proving how widely and irresponsibly biometrics are being excessively pushed.
In the case that any one of these data banks are in fact breached, this unreplaceable user identifier could allow for attackers to assume entire control over anyone’s personal information and data. Thus, whilst it is undeniable that international adoption of this technology is becoming irresponsibly widespread, the fact is that biometrics cannot protect its user’s privacy and should not be applied to protect such sensitive data.
The surrounding environment and usage overtime can affect measurements
This authentication technology whilst being convenient is ultimately susceptible to attacks that attempt to undermine biometric integrity and reliability. Whilst new tech can be implemented to reduce these factors, ultimately to maintain the biometric sensor user expediency sacrifices in accuracy and dependability are necessary. Hence, issues arise in biometric identification consistency as small discrepancies such as minor injuries or differing backlights would be largely inconvenient if the user experienced denial of identification. However, at this expense the expected difference accepted by these devices inevitably divulges loopholes and weak points for circumvention.
Current biometric systems are not 100% accurate
It is one minor issue for a biometric system to not recognise the user and require repetitive trials, however, it is another when biometric systems, facial identification is used for far more sensitive matters, yet still is not ‘up-to scratch’ in terms of accuracy. Joy Buolamwini in her TEDx talk stated "My friends and I laugh all the time when we see other people mislabelled in our photos… but misidentifying a suspected criminal is no laughing matter, nor is breaching civil liberties." She clearly outlines the potential future issues and danger in the reliance on an inaccurate identification system. (Finley, 2019)
A further example of inaccuracy in facial recognition can be seen in a very recent article reporting on the Solar Rebate’s response to making the application process “much faster”. In the first two weeks, 40% of users reported identity check failure
Many biometric systems require integration /additional hardware
While many personal devices include cameras, it takes more than a simple camera to provide even basic facial recognition for authentication. These are often a regular camera, infrared camera and could be numerous other forms of sensors that can detect depth or map the face in 3D. As increasing amounts of data and information is stored on these devices their intangible value will drastically increase reaching a point in which the convenience of biometric readers will be outweighed by the global requirement for unquestionable security. Furthermore, all additions to the basic device collectively create a somewhat substantial extra cost, which in the future could become largely insecure and redundant.
Ultimately, biometric authentication is not as dependable, private or reliable as a long, secure and strong password. Whilst the method of authentication offers far more protection then a predictable and short password, it is the case that the contemporary and future application of such security measures will become limited to raising the floor level of security, rather than expanding our cyber protection horizons. Our global integration with such technology has already reached a calibre by which the data protected by biometric systems is beyond security proportions that the biometrics scanners can deliver. The probable privacy issues of biometrics will be tested daily and the known vulnerabilities will challenge risk assumptions with rapidly changing real data.
A rapid shift to digital economies around the globe requires a far more secure process of user authentication to nullify the current and forthcoming critical issues within biometrics being:
There are simply much better options for providing a non-repudiable unified and universal digital identity available that not only address these issues but also provide a safer, secure and more reliable path to the digital economy.