printer friendly version

The problem with biometrics

People who are not very knowledgeable about digital authentication often think biometrics are the answer to all our authentication problems. Hint: They are not. Many people think the Holy Grail of authentication is facial recognition or maybe even DNA analysis, “When the technology gets here!” It will not.

Biometrics (e.g., fingerprint, facial, iris, retina, veins, geometry, voice, keystrokes, cursor movements, etc.) can be a good form of authentication, but you have to pick good implementations and there are valid concerns no matter what biometric option you may choose.

Biometric challenges

Here are some of the common issues with biometric authentication:

• Accuracy.

• Security/hacking.

• What to do if your biometric attribute is stolen

• Shared systems can promote disease transmission.

• Privacy issues, government intrusion, etc.

• Bias.

Accuracy

Most biometric vendors tout how incredibly accurate their biometric solution is or can be. In most cases, their quoted accuracy figures are overstated. What the vendor is really stating is some hypothetical example of how uniquely different the involved biometric attribute is (e.g., “Your fingerprint is unique in the world!”) or what the maximum capability of the underlying hardware is (e.g., “It only has one false-negative error per 10 billion fingerprint submissions!”).

None of that matters. The only accuracy fact that matters is how accurate the biometric solution is in practice in real-world conditions as deployed. It turns out that most real-world deployments are a lot more inaccurate than the advertising.

The National Institutes of Standards and Technology (NIST) has been reviewing the accuracy of different biometric solutions (mostly fingerprint and facial) for years. Any biometric vendor or algorithm creator can submit their algorithm for review.

NIST accuracy goals depend on the review and scenario being tested, but NIST is looking for an accuracy goal around 1:100 000, meaning one error per 100 000 tests. So far, none of the submitted candidates came anywhere close. The best solutions have an error rate of 1,9%, translating to almost two mistakes for every 100 tests. That is very different from 1:100 000 and certainly nowhere close to the figures touted by most vendors.

I have been involved in many biometric deployments at scale and we see far higher rates of errors (false-positives or false-negatives) than what NIST is seeing in their best-case lab condition testing. I routinely see errors at 1:500 or lower. Biometrics in the real world is a hard nut to crack.

The bottom line is that most biometric solutions are not anywhere as accurate as the vendor claims. With that said, many biometric solutions are far more accurate than their competitors are. There are solutions that rank at the top of their class and a bunch that rank at the bottom. If you are buying a biometric solution, try before you buy, and make sure you are getting the accuracy you thought you were getting. Request to talk to two or three of the vendors largest existing customers and ask them about the accuracy rates and if they have any problems using the product in the real world.

Security/hacking

Anything can be hacked. Any biometric solution can be hacked. Avoid any biometric vendor telling you different. Some biometric solutions are more resilient than others are. The tough part is telling the difference. Here is what I look for when looking to see if a particular biometric solution is more secure than its competitors are:

• Are the biometric solution developers trained in secure development lifecycle (SDL) programming?

• Does the biometric vendor do in-house code reviews and penetration testing?

• Does the biometric vendor hire external penetration testers and participate in bug bounties?

• Is the solution resistant to man-in-the-middle attacks?

• Does the solution store the biometric attributes of its users in their true image form or transform the captured biometric data into something else that will be less useful to hackers if stolen?

• Is the solution single factor or multi-factor authentication (MFA)? MFA is stronger.

• Does the solution have above average accuracy compared to its peers?

If you have the ability to choose your biometric solution, choose a solution that is more resilient to attacks.

What to do if a biometric attribute is stolen

One of the most challenging problems is what to do if your biometric attribute is stolen. For example, all ten of my fingerprints were stolen, along with 5,6 million other people, in the infamous June 2015 OPM data breach (www.securitysa.com/*kb1). For the rest of my life, I know that my fingerprints are out there in the possession of attackers. How can any system that relies on my fingerprints truly know that it is I submitting them?

Well, for one, it is better if biometric attributes are paired with a knowledge-based secret like a password or a PIN. An attacker with my fingerprints would also have to know my knowledge-based secret in order to access the system. The attacker might be able to obtain that knowledge-based secret as well, but at least it is harder to accomplish.

I like biometric systems that do not store my biometric attributes in ‘plaintext’ form, meaning I do not like any biometric system that takes my fingerprints (or face, retina, iris, etc.) and stores them as the real, complete image in their database. I want biometric systems that read my biometric attributes and then transform them into something the biometric system can store and use, but if stolen, mean nothing to the thief. (See box: Protecting MFA shared secrets.)

Privacy issues, government intrusion, etc.

Many nations and businesses now store billions of fingerprints and faces. It may be to conduct legitimate law enforcement scenarios, but many privacy advocates wonder if any single entity having billions of people’s biometric attributes can lead to illegal abuse. Only time will tell, but this is certainly a worry for a non-minor percentage of our population.

Bias

Lastly, many biometric (really, any authentication solution) can have technical bias. This is not the same as a personal bias. This is a bias caused by the technology. For example, many studies have shown that biometric facial scanners have a harder time discerning people with different skin types due to how light reflects off that skin and the ability to recognise features and geometry.

Biases can develop because of socio-economic issues. For instance, people without cell phones cannot use any biometric solution requiring a cell phone to work. You may think that everyone in the world has a cell phone, but about 25% of people around the world have no cell phone and many people share cell phones with other people (complicating authentication). Many people may not have a smartphone capable of using a biometric app.

Some people are born without fingerprints (it is called Adermatoglyphia), some without voices or eyes. Face tattoos, glasses, masks and hair can complicate facial recognition scans. Some labour-intensive jobs cause more ‘micro-abrasions’, which can cause problems with fingerprint scanners, and so on.

In closing

Biometrics are a growing part of the digital authentication world. There are good biometric solutions and bad biometric solutions. Try to pick the more secure and more accurate solutions. Even then, no biometric solution is unhackable or perfect. The best any defender considering a biometric solution can do is to be aware of the good and bad of biometric solutions and pick the best one they can.

This is an edited version of an article by Roger Grimes, used with permission, first published in November 2022 at https://www.linkedin.com/pulse/problem-biometrics-roger-grimes (short URL: www.securitysa.com/*kb2).

A response from Dahua Technology

Following the article from Roger Grimes, Smart Access & Identity asked Dahua for its perspective on the points raised.

Where biometrics succeed

For the average person with a smartphone, it is a given that their private data is stored on the phone and this creates a risk. This is where biometric identification succeeds in ensuring their data is safely locked away without being compromised. When this technology is used in residential estates, business offices and other day-to-day technology, it still is an excellent solution for conventional uses.

It’s more secure than passwords and other login systems and it is more convenient because there is no room for error in terms of forgetting a password or PIN, or losing an access card. With biometric authentication your standard sign-in time, at your residential gate or office door is drastically reduced versus keying in a password or PIN. Biological traits are stable and will not drastically change over a short period of time.

Where it falters

In terms of a smartphone having a fingerprint access to unlock it, someone sleeping soundly could be placed in a position where their print is used to unlock their phone without them waking up. In this case it does serve as an illustration of how biometric identification is far from foolproof. Had the phone been secured with a password or PIN, another person would likely not have been able to access the smartphone.

Where it fails

As much as it would be nice to believe that biometrics is the solution to all access problems, biometrics are not hackproof. There have already been instances of hackers beating biometric authentication measures, for example, a hacker who used high-resolution photos of the other person’s finger in order to outsmart fingerprint authentication technology.

Even as security measures get smarter, hackers don’t tend to give up. They become more resilient, and their advanced strategies can target high-profile employees of high-profile organisations.

Should a person be placed in a situation where their biometric information has been compromised, it can’t be changed, edited or reformatted as a password can be. These traits are a permanent part of a person, for better or – in this case – for worse.

Most frighteningly, there is a stark difference between a security measure where biometric information is stored solely on a user’s device and a security measure where a central database stores biometric data. As more organisations get into the biometric identification security game, there will be an ever-increasing number of these databases at risk of being breached.

As mentioned above, once a hacker steals biometric information, it cannot be changed. In a future where biometric information will probably verify bank accounts and home security systems, and any number of things in our smart world, this could lead to a very unsecure future.

For more information contact Dahua Technology South Africa, +27 10 593 3242, sales.za@dahuatech.com, www.dahuasecurity.com/sa

Protecting MFA shared secrets

Multi-factor authentication (MFA) usually has shared secrets. With one-time-password (OTP) MFA solutions, the shared secret is usually a randomly generated ‘seed value’ that is stored in both the authentication database and on the OTP solution (hardware or software) being used. If an attacker can gain access to the stored seed values and other identifying information associated with the OTP solution, the attacker can generate additional unauthorised instances and use them as if they were the legitimate user.

This routinely happens in real life. For example, Google Authenticator shared secrets are routinely compromised by hackers and used to hack users who rely on Google Authenticator to protect their accounts. Google Authenticator secrets are often stored on Linux servers on the network or service the user is accessing, or they can be compromised on the user’s side.

The QR code is just a barcode-like representation of the shared seed value used to initiate the new Google Authenticator instance. Because it never expires, any attacker looking for or coming across one can use it against the victim. People who get the Google Authenticator QR codes via email often keep them forever in email, take pictures of them or never permanently delete them after use, for fear that they may need to reuse to reinstall their particular Google Authenticator instance if something happens to the current install.

Biometric authentication requires shared secrets, too. If an attacker compromises a biometric database, they are not usually stealing a user’s entire scanned fingerprints, face, retina vein images or whatever. What they are usually getting instead, is whatever interpretative representation of that scanned biometric attribute. Still, once stolen, it can be enough to then use it to make additional unauthorised biometric copies that an attacker can use to try to login as the user. Therefore, like a password hash, a biometric attribute ‘hash’ is usually what is stored and does give some basic protection against an attacker immediately compromising the user’s entire image of the biometric attribute. Yes, some biometric solutions, sadly, do store the entire scanned images of the biometric attribute, making the hacker’s job far easier.

No matter what the type of authentication, MFA or not, biometric or not, shared authentication secrets need to be protected.

This is a short extract from https://www.linkedin.com/pulse/protecting-mfa-shared-secrets-roger-grimes (short URL: www.securitysa.com/*kb3). Far more information is available in the article.

Share this article:

Further reading: