We all know that no two biometrics are created equal, and many have touted that fingerprint and iris are much more secure than face or voice. That’s why it came as little surprise when BBC reported that it was able to bypass HSBC’s new Voice ID technology. More people were shocked when, just a few days later, Chaos Computer Club (CCC) detailed how it was able to spoof the Samsung Galaxy S8’s new iris recognition system. We often believe that these exciting new technologies are “hack-proof” but the truth is, given enough time and/or resource, any login process is susceptible to attack.
What we need to do is limit the opportunities that bad actors have to attack these systems in the first place.
Take the BBC presentation attack. It isn’t surprising that a pair of twins was able to fool the system. What’s shocking is the number of attempts the system allowed them to attempt to log in. Joe Simmons, twin brother of BBC’s Dan Simmons, was able to repeatedly attempt to log in without warnings or alarms going off. The system denied him seven times before the eighth attempt passed.
Of course, iris is a much more unique trait that we’ve seen is harder to spoof, which is why it has often been said to be the most secure single biometric we can use for authentication. Even twins have completely different irises. But as I said before, no login process is hack-proof, and the CCC attack proves it. Iris is much more difficult to capture than voice – requiring a camera capable of capturing the near-infrared spectrum as opposed to a simple recording of someone speaking – but it’s not impossible.
The key takeaway from both of these events is that we need to develop a system for protecting the login process itself, as well as biometric data to minimize risk. Secure storage of biometric templates is paramount, but we cannot allow bad actors eight, seven, or even six attempts to login. When any system allows 20 attempts to log in, it invites disaster. Any login solution, whether it uses biometrics or passwords, should raise a red flag after just a few failed attempts. Require a second-factor to authenticate, or even trigger a security alert and lock the account until the owner contacts their bank.
Of course, no system is perfect, but biometrics do provide a more secure authentication method than usernames and passwords. They can’t be lost. They can’t be cracked using brute force attacks. And if we use the right tools to store them, they’re much more difficult to steal as well.