How easy are biometrics to spoof? Will liveness detection impact matching performance? (and answers to other biometric authentication FAQs)Fred O'Connor | April 16, 2019
Will liveness detection impact matching performance? Do behavioral biometrics make biometric authentication more effective? How easy are biometrics to spoof? These are just a few of the questions that Doctor Stephanie Schuckers, director of the Center for Identification Technology Research at Clarkson University, and Veridium lead biometric scientist Asem Otham were asked after their webinar on debunking common biometric authentication myths.
We wanted to share the questions and answers since others may have the same ones around using and storing biometrics. The more information that security practitioners have on biometrics, the better decisions they make on using the technology in their organizations.
Be sure to listen to a recording of the webinar if you’d like to learn about the latest developments in spoofing and presentation attacks and research that’s being done around how to securely store biometric data.
Is there any information on what smartphone or brand is safest around using and storing biometric data?
Stephanie: There are certification programs emerging that can help with that question. Clearly the testing is a key part, but who does the testing? Certainly each company will do their own internal testing, but then it’s incumbent on the person purchasing it to do the testing. That’s not a good model because the person purchasing it doesn’t want to do the testing and may not be experienced in that kind of testing, and it’s difficult even for the companies because they must run from customer to customer participating in multiple tests.
By having a certification program, a company can go to the program, do a certification, and then with that certification prove to their many customers that their system is secure, has good presentation attack detection, etc. That’s emerging. There are programs out there that you can look for. I think the role that customers can play is to ask for it. The more that they ask for it, that will create the demand and then push the vendors to do the certification. In the long run, I think that will be advantageous for the vendor.
Some new smartphone sensors will have liveness detection. Will this feature impact matching performance?
Stephanie: If the spoof detection has a 5 percent false reject rate, that’s going to impact the user’s experience. From our testing, we are working with development systems or academic systems with small data sets. Commercial implementations, we hope, really have thought about the user experience that might be associated with anything they add. I think they’re very well-motivated to do so given they are selling products that are used by real people and not so much focused on selling them to attackers. I think there’s a good motivation for vendors to consider this when they implement liveness detection.
Is it possible to hack a central database, take a stored, unencrypted biometric template and create a viable fingerprint for spoofing?
Stephanie: I think the fact that central databases can be hacked is pretty well seen in the news with major security breaches leading to the release of IoT user data, biographical data about individuals, but not so much with biometrics. In the U.S., the Office of Personnel Management suffered an attack which did include fingerprint data, so I think the fact that it can happen is certainly out there. Once you have that image, again, it’s not that useful as a digital thing, so it still needs to be turned into a spoof. And, of course, you’re targeting somebody when you’re using a spoof to attack a person so you need to figure out whose fingerprint it is, what accounts they have and how you’re going to use that spoof effectively when you’re targeting that particular person. Today many attacks are much more generic rather than targeted, but that can change over time.
Asem: Most of the time, the biometric is not stored as a fingerprint image. Sometimes it’s an ISO template or anti-template or even a proprietary template. It would be a challenge to generate the spoof. The challenge is generating a fingerprint image from the minutiae, or the set of points that are on a fingerprint. Algorithms try to build a fingerprint, but during the process you sometimes add noise and that can prevent you from generating a perfect fingerprint image that looks like the original one. Then you need some expertise to figure out how you can generate a spoof from the image that can be used for matching and can pass and fool a sensor and liveness detection features. All of that makes hacking a central database on a large scale and using stolen biometrics not that easy. I like to say close to impossible. Academia and vendors are figuring out how to prevent this abuse from happening.
At Veridium, we built our own likeness proprietary template algorithms and libraries, but we’re not going to talk about that because we’re in an arms race against attackers and we don’t want to give them any help by talking about our tactics. I will say that almost all biometric companies are now working on liveness, but also you need to protect the biometric data. That’s why during the presentation we discussed one of the IEEE standards and how to make sure that data is securely stored.
For an in-depth, technical look at the challenges of spoofing biometrics, listen to a recording of the webinar.
What happens if a piece of the distributed models is lost?
Asem: If a piece of the distributed model lost, in that case, you would need to contact the enterprise and the enterprise’s policy would dictate how they handle the lost device. The good thing about the IEEE standard is that most of the enterprises would have their own processes in case of lost device. The standard provides you with a customizable way on how you can handle these kinds of situations.
How effective are behavioral biometrics?
Stephanie: This is an emerging area. Behavioral biometrics are things like how you type, how you swipe on your screen, how you walk, how you hold a device. The idea there is that behavioral biometrics compliment our traditional notion of biometrics. I wouldn’t like to see traditional biometrics thrown out in favor of behavior. Instead, I’d like to see them added to traditional biometrics.
One of the key differences between the two is if you place your finger, you’re doing an event at a moment in time. Behavior is something that runs in the background, so it’s like once you authenticate, you’re maintaining authentication as time goes on. Behavior adds another level of security.
There are many ways to take advantage of behavioral biometrics. We’ve spent a lot of time talking about spoofing, so imagine a scenario where someone has used spoofed biometrics to authenticate, but their behavior is significantly different than the behavior of the person who owns the biometrics. With behavioral, this situation could potentially raise a flag and help detect a spoof attack. Behavior’s exciting but I’ll add the caveat that it might not be ready for being the primary authentication because often it takes time to track and learn a person’s behavior.
Asem: At Veridium, user behavior is a complement to traditional biometrics. Let’s say there’s a financial transaction with a low value, then using traditional biometrics supplemented by behavior for authentication may work fine. But if you start doing high value transactions and the risk factor increases, then you can add another step-up authentication factor – face or you have to call someone – in addition to regular biometrics and behavior.
Any thoughts on cancelable templates?
Asem: A cancelable template is a way to protect biometric data – especially if it’s stored in a central database. You apply a one-way transformation to the data and it will transform the data into a new one and it will not allow you to reverse it to get the original biometric data.
There are a few issues with cancelable templates, like how you ensure the security of these transformations. The more you make this one-way transformation harder to be attacked or reversed, the more you lose in performance. By performance, I mean the matching accuracy. Usually there’s a trade-off between the two. With cancelable templates, I think the objective of using them is to store everything centrally. At Veridium, believe things are going towards a decentralized identity. We’re trying to push the storage and the ownership of biometric and personally identifiable information to the edges, not to the center of the database. But even if you need centralized decision making, you can use a distributed data model, which is secure and without degrading the performance accuracy.
Stephanie: One of the things that’s great about cancelable biometrics is that when you do matching, you don’t need to unencrypt the template. Today, we certainly can encrypt things using cool models like Asem was talking about. In our classic way of doing biometrics, we have to unencrypt it in order to match. Cancelable biometrics allows you to match in a secure domain, which again is another attack point. There is active research in this area and I think over time, the performance degradation that Asem talks about will start to go away.
Wondering what else was covered in the webinar? Listen to a recording of it to find out.