On many occasions I have heard security experts claim that passwords are dead. Don’t hold your breath. The reasoning for such claims is that new authentication methods, particularly biometrics, are gaining traction. The industry is rapidly growing, and in a few cases, biometric technology has replaced passwords, but it will be a very long time before passwords go the way of the slide rule.
Biometric authentication has many advantages over passwords—convenience is by far the most popular. You may very well be using biometric authentication devices already. Some laptops, phones, and cars have fingerprint readers and/or facial recognition software. If you have used any of these devices you know how handy it is not to have to type in a password.
People sometimes forget or lose badges they need to get into their place of work. They forget passwords, car keys, and decoder rings. None of this is a problem with biometrics, as biometrics are both memory-proof (have you ever forgotten to take your body with you?) and convenient. For instance, there is a company selling fingerprint technology to hotels to replace key cards that often get demagnetized if held near a phone. Despite privacy concerns, the convenience of being able to put your finger near your phone and use the same finger to get into your room will be enough for some people to adopt the technology. As for me, that will be the day I forget to take my body with me.
The entire purpose of authentication is to uniquely identify a person as a means of access control, and in some cases for tracking. Passwords, card keys, and smart cards do not limit access on an individual basis—they authenticate a credential rather than a person. Biometric authentication turns conventional wisdom upside down and enhances it. With passwords you are told not to use the same password in multiple locations. With biometrics you are the password, and you are used everywhere you authenticate.
There are many types of biometric technologies, the most common of which are fingerprints, retina scans, and voice recognition. Other, behavior-based methods measure how a person moves when walking, while others may observe the cadence and pressure used when a person is typing. Measurement of veins on a hand, facial micro expressions, finger movement on a phone screen, and other physical and behavioral identifiers can be used for biometric authentication.
Vulnerabilities Remain an Issue
Of course, nothing is perfect. Although people are different, machines are not always great at differentiating them. There are two important metrics we start with: false acceptance rate (FAR) and false rejection rate (FRR). The FAR measures how frequently a device is likely to accept the wrong person. The FRR measures how frequently a device is likely to deny access to the right person. If the device has too high of a FAR, it is not secure, while a device with too high of a FRR is unusable.
Biometric authentication systems are also vulnerable to attacks. Spoofing is by far the most well-known attack against biometric systems. Just like in the movies, someone creates a duplicate fingerprint, iris, or face and gains unauthorized access. For example, the “gummy bear” attack, demonstrated in 2002, involves impressing the desired fingerprint onto a clear gelatin that is then used to fool fingerprint scanners. Researchers proved the method could be successful in experiments, and there were media reports that Australian students in 2010 used it to trick fingerprint scanners at their school. In 2013 and 2014, Apple and Samsung phone fingerprint readers proved vulnerable to spoofing. In 2017, researchers at University of Michigan developed a set of fake digital fingerprints that could fool the fingerprint sensors 65 percent of the time in simulations. And even iris and facial recognition systems have been successfully spoofed.
As technology improves, spoofing attacks will become much more difficult. However, even if there were foolproof biometric readers, there are other ways to attack biometric systems.
For example, once a biometric measurement has been acquired, the data must be analyzed and used to create a template. A template is a digital representation of the biometric data. You might think of this like a digital camera. The optics convert the image into data that is then stored as a picture file. If attackers can intercept the data as it leaves a biometric sensor, they can then manipulate the creation of the template to enroll someone else’s biometric template. Attackers can intercept and manipulate the data at multiple discreet points in the authentication process, including when the system makes the ultimate decision to allow or deny access.
Biometrics do offer significant security advantages over passwords, but we still have a long way to go before biometric authentication systems are secure enough to be used confidently as a standalone authentication method. They are—and will continue to be – vulnerable to spoofing attacks and data manipulation and are at risk of having high false acceptance and rejection rates. Therefore, multifactor authentication will continue to be a best practice for years to come.
Ultimately, all biometric systems can be defeated by Tom Cruise and a good Hollywood script.
RANDY ABRAMS, a senior security analyst at Webroot, is passionate about password and phishing education. He has worked in the security industry since 1997. While with Microsoft, Abrams created and administered the process used to ensure new products were released free of viruses and he played a pivotal role in convincing Microsoft to share critical security information with the anti-malware research community.
In 2005, Abrams joined the IT security firm ESET as director of technical education. While at ESET, he was a popular cybersecurity blogger, podcaster, and speaker at numerous security conferences around the world. In 2012, Abrams moved to NSS Labs where he served as a research director focusing on the analysis of endpoint protection testing. He joined Webroot in 2017. Abrams has also served as the vice president of the Association of Anti-Virus Asian Researchers since 2002.