More and more gadgets that we use these days (smart phones, smart watches, etc) try to make a personal connection with the owner via his biometric characteristics.
Using biometric measures for authentication purposes is a fast growing trend in the IT world, but there are genuine security concerns regarding the maturity level of these methods and their security faults. How safe is it to use biometrics for authentication? Can they be bypassed? Let’s find out!
How to find a good biometric characteristic?
At this moment, we have 3 main possibilities for verifying a user’s identity: something that the user knows (like a code or a passphrase), something that the user has (a smart card or a token) or something that the user is (a biometric characteristic).
For a biometric characteristic to be considered a valid authentication method, it should have the following properties:
- Universality, meaning that the feature must be present on all individuals;
- Measurability, meaning that the feature can be measured and the individuals are willing to share it for measurement purposes;
- High accuracy, meaning that the feature can be measured with an acceptable error rate;
- Uniqueness, meaning that the feature should be different for every individual;
- Robustness, meaning that the feature should not vary in time for the same individual;
- Circumvention, meaning that the feature should not be easily altered, imitated or replicated by third parties.
Although the standards might seem too restrictive, there are a big number of biometric characteristics that meet the requirements above (or at least most of them) and can be used in user recognition.
Most biometric methods have been bypassed
We show below a list of well known biometric authentication methods and some examples of bypass techniques for each of them. The authentication methods were categorized according to the actions required for a user to do in order to successfully measure his biometric characteristic.
Also named physical features, they are anatomical or physiological characteristics that can be measured without requiring a special action from the user. Some examples are:
- Fingerprint readers, different implementations of this method have been bypassed in the past using scanned and printed fingerprints or 3D models of a victim’s thumb. Details about such a bypass on a Samsung Galaxy 5 can be found here.
- Face detection and recognition (multiple implementations) – some of these implementations have been bypassed using 2D pictures of the victim’s face.
- Iris / retina scanning – is considered one of the most secure biometric methods for authenticating users but it has security problems as well. A technique of bypassing iris scanning has been presented at Black Hat 2012.
Also named behavior characteristics, those methods require a user to do a specific set of actions in order to be authenticated like:
- Keystroke recognition. Some implementations are known to be vulnerable to real-time keystroke generators that use data collected from the victims via social engineering attacks. A reference paper for keystroke recognition bypass can be found here.
- Voice recognition is a well documented authentication method considered to be a combination of passive and dynamic biometrics; There are multiple mathematical models for using voice recognition for authentication, but some of them were bypassed using voice synthetization algorithms. Some concerns about the security of this authentication method can be found in this article.
Why are they vulnerable?
A question pops out in our mind: why all those biometric methods were bypassed, although they are backed up by strong mathematical models? An answer could be that we have two big sources for errors: data acquisition errors and implementation mistakes.
Biometric measurements are dependent of the sensor that is used for data acquisition. In most cases, the used sensors won’t be cutting-edge technology, not even the sensors with the best performance over price ratio. In most cases, the used sensors will the financially accessible ones, which might have poor performance. From the start, our implementation should consider those errors. Another source of input errors is the nature of human body: we are adapting to the environmental conditions all the time. In voice recognition, as an example, the user’s voice has slight variations after having a long sleep, a cold drink or after having a 2 hours lecture. A good biometric authentication algorithm must be robust to all those variations, but this might be abused in order to fake some biometric features.
The other source for errors – implementation mistakes – is sometimes inevitable: it’s in the human nature to make mistakes. And it’s really easy for a programmer to mistake some parameters when he’s under the pressure of implementing a complex mathematical model on resource limited embedded systems. The good news is that those mistakes can be detected through proper testing. In fact, every piece of software that has associated a high risk level should be properly tested for security vulnerabilities.
We see that emerging technologies have a big appetite for interacting with the people. However, there are some limits of trust that should be well defined.
As a personal consideration, biometric features should not be used for authentication or authorization, but only for user identification. Or otherwise to use biometrics as a second step authentication, in conjunction with other methods.
Our recommendation is to test all software that is using biometric methods for user authentication or authorization for security vulnerabilities. Depending from case to case, an in-depth penetration test might be the best solution.