printer friendly version

The security of biometrics

Hi-Tech Security Solutions asks whether your personal biometric data is safe from prying eyes.

The benefits of biometrics have been well documented over the past few years and growth has been steady around the world, with significant growth in countries like India where the government has launched a countrywide biometric identification system. While there are many biometric modalities available, fingerprints have claimed the top spot to date due to the long history of research into both manual and electronic identification.

Other biometrics competing for the top spot include palm or finger vein biometrics, voice and iris, among others. Apparently ear biometrics is also a thing now. More recently, we have seen rather dramatic advances in facial biometrics with many companies releasing products that offer touchless biometric access control in even the busiest organisations. Whether facial biometrics is at the level of trust to authenticate transactions yet is still open to debate.

Of all the non-fingerprint biometrics available today, facial is probably the main contender for the top position given the research being done into this technology and the varied uses for it. Facial recognition is touchless and can be deployed in surveillance cameras, which can recognise people in a crowd, at a distance – something fingerprint systems can’t do.

There are also other forms of biometrics to take note of, specifically behavioural-based systems; some have been around for years and others are only starting to be recognised. Older behavioural biometrics include recognising typing styles, in which your passphrase is not important as the system identifies and verifies a person by the way they type. This is being extended into the mobile age by technology that recognises your onscreen behaviour – how you type on a smartphone, the pressure your fingers exert, the way you hold the device and more. If you thought Facebook and Google tracking your Web habits was bad, you are in for a shock.

Even more insidious are other forms of behavioural biometrics that can identify people from a distance by their gait (the way they walk) and other physical things we do unconsciously. Combined with facial recognition, these biometrics can be frightening in terms of privacy violations and large-scale tracking and monitoring of people.

In the business world, however, we are still mainly using fingerprints and this will continue for some time. There is, however, a potential risk that is mentioned in passing when it comes to biometrics (primarily fingerprints to date), and that is the risk of having your biometric stolen.

As mentioned in other articles in the Access & Identity Management Handbook 2020, an individual’s biometrics are forever. If you use a card, PIN or password to gain access to physical or logical assets, your credentials can be compromised, but they can also be replaced. If someone manages to spoof your fingerprint or face (in a way that readers accept), you’re in trouble.

The question is, can someone ‘steal’ your biometrics and use them to pretend they are you? Each biometric system has its own unique features in the manner in which readers or scanners work, so we will primarily focus on the risk to fingerprint systems because they are the standard today. Much like most malware is targeted at the Windows operating system because it is the most widely used, the most serious risks to biometrics at this time will be aimed at fingerprints. The same risks, however, apply to any other biometric modality. If another form of biometrics becomes the most used, criminals will quickly turn their focus to compromising the new market leader.

Are your biometrics at risk?

The fear of ‘losing’ your biometrics is often downplayed by vendors due to the security they include in their systems and processes. There is a real threat from hackers, however, and there is also the ever-present threat of the manufacturers making a mistake in the design or implementation of their solutions.

As an example, researchers in China from Tencent’s X-Lab recently demonstrated how they could hack the fingerprint security of almost any Android or iOS device in about 20 minutes. The hack was demonstrated at the GeekPwn conference in Shanghai in 2019. Although they didn’t make their technique public, the equipment required to do the hack is said to cost in the region of $140.

Similarly, Samsung had to release a security update for its S10 smartphone after it was found that using a cheap screen protector made it easy to fool the ultrasonic ‘in-display’ fingerprint system and unlock the device with any fingerprint. In this instance, a presumably secure biometric reader was compromised by a bit of clear plastic. (The explanation is not really that simple, but for users it was all they were concerned about.)

Shiraz Kapadia

In answering the question of whether your biometrics can be stolen or forged, Walter Rautenbach, CEO of Suprema SA, says one needs to distinguish between images and templates. In most cases with access control platforms, including that of Suprema, fingerprint and face images are not stored. Instead, the fingerprint/face template is stored and this is designed not to be reversible. Most companies have their own proprietary algorithms to create templates, which increases their security.

Ironically, in an age where standards are touted as ideal, Rautenbach says that when using open standard templates that assist with interoperability (allowing you to change fingerprint vendors later on), this obfuscation (the proprietary algorithms vendors use to create their templates) is compromised. The purpose of open templates such as ISO is interoperability – meaning anyone with an ISO manual can figure out how to reverse it.

He says this is something that needs to be made clear to clients who might require additional security measures. “A further irony to this is that it is mostly government tenders that require open standards to prevent vendor lockdown, while unknowingly making data more vulnerable.”

It is also worth noting that in the case of government biometric systems, the source of the data (the actual image) is kept. “Extreme care should be taken to ensure that the data is secure and it is essential that experts are consulted in this regard,” Rautenbach adds.

Irrespective of one’s view of the above, Rautenbach states, “We should all take care of our data and insist on proper data security. Suprema access and T&A; (time and attendance) systems do not store biometric images, they support and store propriety templates (as well as ISO templates in support of standards where required) and encrypt the data stored by default.”

Echoing Rautenbach, Shiraz Kapadia, CEO and president of Invixium, states that biometric technology was created as a means to increase security and at the same time, provide convenience. “A key/card/password can be copied, borrowed, stolen, lost or forgotten. This increased security and the fact that it is the ‘only solution to prove you are who you say you are’ is the reason behind the existence of the entire biometric industry today.

“Fortunately or unfortunately, technology has advanced to a level that hackers can break into databases to get access to stored biometrics. However, all well-known and successful biometric brands today save user biometrics in the form of templates and not images. A template is a mathematical representation of the raw image which cannot be reversed. Additionally, these templates are also encrypted before being stored.”

If hackers wanted to get your fingerprint, they would first have to decrypt this template, which by itself would be of no use in that form. The decrypted template would then have to be reconstructed into an image.

This reconstruction would require knowledge of intellectual property, which varies from vendor to vendor, he adds. It is a lot easier to get an image of one’s biometric by clicking a high-definition image of the user’s face or getting a fingerprint off a glass of water, as forensics do in crime scenes. If someone was to physically get access to your raw image, most respected biometric brands, including Invixium, use liveness detection or proof-of-life technologies to further prevent false authentication.

“If the highest level of security is required, I would recommend deploying a multi-biometric, multi-factor technology that uses a combination of face and fingerprint, or face and finger vein, or finger vein and iris; the latter pair of which are internal, leave no latent imprints and hence are not hackable,” notes Kapadia. “At the end of the day, biometric technology serves as a means of prevention and a deterrent in comparison to other vulnerable forms of access control.”

Mapless locations

Expanding on the template and encryption argument, Deon Janse van Rensburg, Africa manager for ViRDI Distribution SA, reiterates that the security of electronic biometrics depends on the vendor and how their specific extraction and matching algorithms work.

Deon Janse van Rensburg

“If the vendor extracts actual images of the biometric data and keeps these extracted images in a database in the form of .jpg or .bmp files, either on the biometric device or on the server that runs the system, this will be a risk,” Janse van Rensburg explains. “This problem does exist in cheaper systems or new entrants to the market who are not fully aware (or who just don’t care) about the risks.

“Images can be stolen and the ISO format is open and can be reverse engineered using open source mathematical algorithms freely available on one of the various biometric forums. For security, every developed country has some form of privacy legislation that prohibits the practice of keeping images of biometric data. Developing countries either don’t have such legislation in place or are unable to enforce it, and this is where a major possibility of biometric data (in the form of an image or ISO format template) being stolen exists.”

Janse van Rensburg equates the security of proprietary templates as being given a list of street addresses in a town but you don’t have a map of that town. The addresses are useless and you cannot reconstruct the layout of the town from these addresses. Only when you are provided with a map will you know where the various addresses are.

“It’s the same thing with biometrics, the template is the list of addresses (minutiae point details) and the user’s physical interaction to authenticate on the biometric device is the map (the fingerprint, face or iris). Once the map (face/fingerprint/iris, etc.) is authenticated, it is removed and the address becomes useless again.”

Nicolas Garcia

Nicolas Garcia, regional sales director (Middle East & Africa), Biometric Devices & Automotive for IDEMIA, adds that despite whatever we may see in the media, it is important to understand that biometrics remain, to date, the most secure form of verification for transaction authorisation, access control and many other fields.

Vendor-specific processes

To gain a better understanding the security of templates – proprietary templates – we asked each company to describe the processes it follows in recording a user’s biometrics.

Walter Rautenbach

Suprema stores fingerprint and face templates only. Personal, biometric and custom data is encrypted with AES-256 encryption before being stored on the database or the device. Data transfer also uses Transport Layer Security (TLS) to prevent man-in-the-middle attacks. When it comes to encryption, Rautenbach warns, “A big risk to consider is insider fraud and access to the encryption keys used to protect the data.”

Invixium provides a variety of options for the storage of fingerprint, finger vein and facial templates. End users have the option to store the templates on its edge devices which have AES encryption (128-bit), on the server or on a smartcard, which permits encryption with user-defined keys.

All Invixium solutions store user biometrics in the form of templates. Every time a user enrols on an Invixium device, the company uses the fingerprint/finger vein scanner or the camera on the device to capture the respective biometric image. This image is converted into a template and the image is discarded. This template is then encrypted using AES encryption prior to being stored on the device or the server.

Kapadia adds that there is also a significant size difference between raw images and templates. Images are large due to the extensive detail captured (approximately 300 KB up to 1 MB on average), and templates average around 300 to 500 Bytes. “Storage of raw images is impractical for edge computing devices which would require tremendous processing power on the device to complete authentication matching in a timely manner (less than 1 second).”

For IDEMIA, during enrolment, biometric pictures are converted into templates and the actual biometric images are discarded securely. Garcia says, “It is technically not possible to rebuild the picture from the template and that in itself is the first level of security. Our solutions come with advanced security features such as encryption and they are recommended based on the unique need of each customer.”

Finally, Janse van Rensburg explains, “ViRDI under no circumstances will store images of the biometric data. We extract the biometric templates using a proprietary algorithm into a proprietary mathematical equation which is then encrypted using a proprietary encryption algorithm. The decryption key is heavily secured and used only within the matching algorithm. As an added security feature, we do multiple template extractions both on enrolment and on transaction (authentication) and compare these multiple templates using our matching algorithm before identification or verification is achieved. This multiple template extraction and matching is unique to ViRDI.”

Proof of life

Just as important as encryption and keeping the algorithms for templates secret, is the ability to be sure that the fingerprint or face (or whatever biometric is chosen) is attached to a live, real person. Today it is relatively easy to create a fake fingerprint or use a 3D rendering of a face on a tablet or another screen. If a reader is not able to differentiate between live and fake biometrics, the system’s use will be fairly limited.

Liveness detection, as it is commonly known, is part of every biometric technology that is worth considering. Janse van Rensburg says ViRDI employs various anti-spoofing technologies in its biometric devices. “For fingerprints we use capacitive measurements, infrared illumination, multispectral response imaging and ‘live’ detection embedded within the extraction and matching algorithms.

“For facial recognition we use dual-camera infrared extraction coupled with 3D geometry and isometrics. Whatever anti-spoofing technologies are deployed in our devices, no single technology operates as a standalone defence, but always as part of a process where the next technology process is reliant on the success of the previous process, thereby forming an anti-spoofing ecosystem.”

Garcia notes IDEMIA makes use of advanced fake biometric detection and prevention tools such as fake finger and liveness detection, 3D images, multi-modal biometrics, etc. “Each of the tools serves its purpose. We work closely with our customers to ensure that we deliver the best solution (sometimes a combination) that meets their security requirements.”

Suprema also delivers live finger detection for fingerprint biometrics and live face detection for facial recognition hardware. “Both of these are improved regularly to keep up with spoofing techniques,” explains Rautenbach. “In both cases machine learning algorithms are used to easily detect fake biometric data.”

Invixium uses a proprietary liveness detection algorithm for its facial recognition products. For fingerprint and finger vein recognition, it has integrated the top sensors from brands such as HID Lumidigm and Hitachi, which provide anti-spoofing as a feature.

“I find it important to point out that no biometric technology in today’s times is completely immune to spoofing,” warns Kapadia. “I always recommend to our potential customers who are looking for high-security solutions to create an ecosystem and a culture of smart security in their organisation. For example, integrate physical access control with CCTV and cybersecurity, along with multi-factor or even multi-user authentication. Some simple steps can go a long way.”

This advice can be extended to various parts of security, especially when making use of cloud services for access control and any solutions that require biometric identification and verification for cloud databases. In all security installations, the end-user company must assume the ultimate responsibility for their own security and with biometrics forming part of the solution, ensuring your own security is critical.

Dealing with the cloud

When it comes to cloud services, you don’t need to be a cybersecurity expert to know that there have been many breaches and there have been billions of bits of sensitive data stolen – and that’s only the data losses that have been publicised.

Cloud services do offer definite advantages for users, including the promise of security. However, the fine print most often will absolve the service provider of responsibility should its security fail. Therefore customers need to assume responsibility for their own security, making full use of that provided by cloud, hardware and software providers, but adding whatever is deemed necessary to provide a security posture that meets the organisation’s needs.

Rautenbach says data encryption is an essential starting point and companies using cloud services should ensure that recognised encryption algorithms and large keys, such as provided by AES-256, are used, especially in these days of extreme computing power.

“Not only should data be encrypted in the database, but also on the devices storing the data and even during data transfer. In a world where cybersecurity is the new front line, protecting nations and individuals, and where there is motivation to gain access to others’ data and with the ever increasing computing power supporting this, it is most important to have manufacturers and providers that understand what is relevant today and who are fast to respond when called upon.”

He adds that suppliers and service providers must constantly be planning ahead; knowing that what may be relevant today may not be tomorrow.

Kapadia expands on this, saying, “It is fascinating to see where our industry is headed. I am extremely excited about the advent of cloud services, especially as part of access control and workforce management. There is a lot of baseless fear around this transformation due to the multiple data breaches over the past couple of years.

“However, I’d like to point it out again that if one is smart about these deployments, the worst fears can be easily avoided. When it comes to cloud services, the following should be considered:

• Server security. The server where the cloud data is stored. The majority of data breaches occur from inside the organisation and not from an external hacker. Deploying biometric-based access control for data/server farms is as critical as the cybersecurity of the server.

• Communication security. The encryption provided when the data is being transferred between the server and the physical device(s).

• Database security. What kind of security has been provided to the stored data.

• Device security. Devices should have tamper protection in the event that somebody tries to pull the device off the wall to get access to the data. For example, all Invixium products have anti-shock vandal protection, which can be programmed to delete all user data on the device in the case of a tamper event.

• Hosting server location is a big factor for some organisations. A server located in a developed country is considered more secure than one located in a developing country, for obvious reasons.”

Other than the aforementioned factors, it comes down to the simpler things such as not sharing passwords/PINs/cards, limiting access to the cloud data and software to only selected systems in the office, and restricting access to these systems to trusted individuals by use of physical access control.

Cryptography is extremely important and IDEMIA proposes various technologies to ensure the highest security is maintained at the time of implementation. Garcia states that IDEMIA provides its customers with software and hardware to be installed and managed on their own infrastructure and premises. “We advise customers to periodically review their implementation strategy/approach to ensure alignment with their corporate security policies.”

He adds, “We regularly run stress tests on our solutions and welcome end-users’ stress tests during proof-of-concept projects. For instance, the financial industry is on the forefront of cybersecurity and intrusion tests. Our products have been tested many times by this industry, in real-life situations, and so far have not failed.”

A point on encryption

While not taking a different view on the importance of encryption, Janse van Rensburg does warn that encryption can become “a tricky beast” if many third-party software suites make use of the biometric system database. Once the biometric database is encrypted, it becomes useless to the third-party software.

Naturally, vendors will be loath to share the details of the encryption with a third-party software vendor. An example would be T&A; systems needing access to user information and transaction times in order to calculate the timesheets.

With over 30 T&A; software suites – just in South Africa – this is obviously a concern. Janse van Rensburg states, “Our position is that it remains the responsibility of the end user to ensure that the database is properly protected by making use of anti-malware, intrusion detection and prevention software and firewalls, whether those are software- or hardware-based. Databases should be backed up regularly as well.

“The unfortunate reality is that should the above countermeasures be breached, data such as ID numbers, telephone numbers, addresses, etc. are vulnerable to theft.”

It is clear from the above that the mainstream biometric vendors today are very aware of the security environment businesses work in. And while these vendors, and others which didn’t respond to our requests for input, are taking the security of their customers’ personal data seriously, the ultimate responsibility for security can never be outsourced.

End-user companies have to take responsibility for their own security, making full use of the solutions provided by their suppliers and service providers. At the end of the day, however, your customers will be pointing fingers at you if they find themselves compromised because of a breach in your security.

For more information contact:

•IDEMIA, +27 11 601 5500, [email protected], www.idemia.com

•Pyro-Tech (local distributor of Invixium), +27 11 615 3438, [email protected], www.pyro-tech.co.za

•Suprema, +27 11 784 3952, [email protected], www.suprema.co.za

•ViRDI Distribution, +27 11 454 6006, [email protected], www.virditech.co.za

Share this article:

Further reading: