As more organizations look into passwordless authentication with biometrics, users are asking what happens if their biometric data is stolen. After all, you can create a new password, but you can’t create a new fingerprints. They’re wondering if stolen biometrics can be used to access the applications and devices that they’ve locked down with them. The short answer is no, said Asem Othman, Veridium’s team lead, biometric science.
“Inputting a password is simple and involves entering the characters through a keyboard. A biometric needs to be entered through a biometric capture device, a process that isn’t as straightforward as typing on a keyboard,” he said.
Using a stolen biometric takes effort
Unlike passwords, biometric images are not entered directly. Instead, the image are input using a certain image capture module, like a smartphone’s fingerprint sensor. The first step in using a stolen image is to convert it into a spoof artifact that deceives the capture module. For example, pulling off an attack using stolen fingerprints requires making molds that contain high-quality reproductions of a person’s fingerprints.
“The challenge is generating a fingerprint image from the minutiae, or the set of points that are on a fingerprint. Algorithms try to build a fingerprint, but during the process you sometimes add noise and that can prevent you from generating a perfect fingerprint image that looks like the original one. All of that makes hacking a central database on a large scale and using stolen biometrics not that easy,” Othman said.
In other words, using spoofed biometrics takes effort. Time, knowledge and resources are required to spoof a biometric that can be successfully used in a presentation attack.
Consider how the biometric data is stored
Securely storing biometric data decreases the risk that attackers will be able to use it in an attack. Proper biometric data storage starts with encrypting the data. Ideally, the data should then be divided and stored in different locations, like on a person’s smartphone and in an organization’s server. Storing the data separately makes accessing it much more challenging for threat attackers. To obtain the biometric, they have to attack the server in addition to the person’s smartphone.
Storing the entire biometric in one place has prompted concerns about the security fallout if the location is breached. While biometrics are difficult to spoof and use in presentation attacks, security professionals should reduce the chances that attackers could access that data. Storing biometric data in multiple locations is part of that strategy.
Don’t forget about liveness detection and behavioral biometrics
Liveness detection minimizes the threats posed by stolen biometrics. Liveness measures require some sort of active interaction from the user or passive tests to ensure that a person, not a biometric spoofed by a threat actor, is authenticating. Liveness detection makes using a mold of a fingerprint or a mask of a person’s face much more difficult. For people who want to use a smartphone’s facial recognition capabilities, for example, liveness detection would make them turn their heads to ensure that a static, spoof image or mask is not being used to authenticate.
“Almost all biometric companies are now working on liveness,” Othman said.
Behavioral biometrics adds an additional layer of security to ensure that a person isn’t using spoofed biometrics to authenticate. Behavioral biometrics operate on the principles that everyone acts differently and copying another person’s behavior is challenging to impossible. Behavioral biometric data covers how people interact with their phones, including how they hold their phones, the pressure they use when typing and how they scroll. The data is passively collected by a phone’s accelerometer, gyroscope and other sensors when people use their devices. A baseline is established and behavior that deviates from the baseline could mean that someone besides the legitimate user is trying to authenticate.
What this means for passwordless authentication
Spoofing biometrics and using them in presentation attacks require substantial effort. Meanwhile, liveness detection, behavioral biometrics and storing the biometric data in two locations make using stolen biometric data challenging for attackers. In other words, using stolen biometrics in an attack is very difficult, much more difficult than using a pilfered password. Passwordless authentication using biometrics offers more secure way to access data, compared to using passwords.
“To use a stolen password, threat actors just need a keyboard. To use a biometric, they need to first acquire the data, spoof it and then fool the biometric capture device, a process that isn’t as easy as typing a birthday or your pet’s name on a keyboard,” he said.