Biometrics – a false promise of security?

By Thomas Bostrom Jorgensen | 23 January 2015

Sci-fi is now reality

There are certain tropes that science fiction writers and filmmakers rely on when trying to evoke a near-future setting, such as intelligence-enhancing smart drugs, dystopian levels of surveillance, and biometric authentication such as eye and fingerprint scans.

Of course, biometric authentication is a very real technology, even though it retains that sheen of the futuristic. This is mostly because, until very recently, mass market biometric authentication never worked very well; a novelty rather than a serious way to access sensitive information.

Apple’s Touch ID has changed this. Touch ID means that the financial services industry now has access to biometric technology that actually works and offers a compelling user experience. Some banks are integrating Touch ID into their online services, while others are introducing their own similar systems, including Barclays with its finger vein reader for corporate customers.

But Touch ID, like other biometric solutions, has serious limitations.

A false promise?

Biometric authentication works by taking something unique to a person, such as a fingerprint or a pattern of veins within the eye, and is used to make sure of a user’s identity. It seems sound in principle – if a fingerprint matches a person, and fingerprints are unique, then there is confidence that the user is who they say they are.

Biometric authentication also feels secure. Passwords can be guessed, or stolen, but your fingerprint is literally attached to you, and very complex. Good luck to any criminals looking to steal that!

But this complacency could be a real problem. There are very real questions as to how secure biometric authentication really is – and what this means for long-term use of the technology.

Touch ID was ‘hacked’ less than a month after introduction. A hacker, who goes by the name ‘Starbug’, has shown that it is possible to take a stolen fingerprint - perhaps lifted from a discarded cup - and create a latex ‘finger’. This ‘finger’ that can be used to unlock the iPhone using Touch ID, just as if it was the real finger. It was pointed out at the time that the attack was useless without access to both the fingerprint and the device – neither of which are trivial to obtain.

But only last month the same hacker was back, claiming to be able to recreate fingerprints from high-resolution photographs. Using this method, a criminal could potentially reconstruct a finger, with an accurate fingerprint, without ever needing access to something the victim had touched. Of course, access to the device is still necessary for this type of attack, but it shows that biometric authentication is not as secure as we believe it to be.

Secrecy and permanency

There are two major problems with biometric information. One is that the information is not secret, and the other is that it is permanent.

For all of the problems that traditional passwords and PINs have, they are usually stored in someone’s memory and not revealed. We leave our fingerprints, as every crime drama fan knows, wherever we go. This and other personal data like it can be collected by photographic means. Biometric data is not secret – we cannot hide it, and ever more sophisticated means are being developed to steal it from us.

Furthermore, when our biometric data is compromised, it cannot be reset. We cannot get new fingerprints or new eyes – at least, not in the near-future. The breach is permanent.

There is also the worry of centrally-held data. Touch ID data is only held locally on the device, so there is no central database of fingerprints. If a service were to keep a record of biometric data, then there are ways to make sure that a stored bio credential is only valid for a particular service. But history tells us that bad security practices are more common than we would like to admit – examples such as  passwords stored in plain text, failures to implement SSL, and easily guessed security questions such as ‘mother’s maiden name’, are all too common. A database of biometric credentials that falls into criminal hands means that biometric authentication is potentially less secure for everyone, not just the company that suffers such a hack.

Proceed with caution

While biometric authentication may be gaining in popularity and is generally secure for day-to-day use, financial institutions need to carefully consider how they deploy it as a major authentication method. Weak passwords are insecure because of the sheer amount of time and effort criminals have put into rendering them insecure. That same effort put into subverting biometrics could have a similar effect, except it’s impossible to ask users to create a more complex fingerprint.

Similarly, consumers need to be careful and consider who is storing their biometric data. Theft of this data could potentially be disastrous if best practice is not followed.

A single method, whether it’s an eye scan or a PIN, should not be used to verify someone. A single authentication factor is always going to be vulnerable to attack, no matter how secure it is. Authentication works best when a number of factors are used – and the factors used are contextually appropriate to the risk of the activity taking place. Once banks and financial services companies understand that there shouldn’t be just one way to authenticate customers, the safer they – and their customers – will be.

 

By Thomas Bostrøm Jørgensen, CEO, Encap Security

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development