Biometric Authentication Overview, Advantages & Disadvantages
How popular biometric methods work, and how to hack them
Biometric seem to be everywhere these days. Consumer preference has turned the technology into a must-have for the modern smartphone or laptop.
Fingerprint readers, face recognition or iris scanners are the most immediate examples, but researchers and engineers want to create even more clever solutions such as voice recognition. Some methods are pattern based and learn how you hold your phone or type at a keyboard.
Whichever way you look at it, the tech is here to stay. The real question however is, how effective is biometric authentication when it comes to keeping you safe?
Table of contents
- What is biometric authentication
- Popular methods and how they work
- Fingerprint Scanners and how they are stored
- Eye scanners
- Speaker recognition
- Other biometric technologies
- Advantages and disadvantages of biometric authentication
- Hacking methods
- How to secure smartphone/laptop fingerprint readers
What is biometric authentication
Biometric authentication works by comparing two sets of data: the first one is preset by the owner of the device, while the second one belongs to a device visitor. If the two data are nearly identical, the device knows that “visitor” and “owner” are one and the same, and gives access to the person.
The important thing to note is that the match between the two data sets has to be nearly identical but not exactly identical. This is because it’s close to impossible for 2 biometric data to match 100%. For instance, you might have a slightly sweaty finger or a tiny, tiny scar that changes the print pattern.
Designing the process so that it doesn’t require an exact match greatly diminishes the chance of a false negative (the device doesn’t recognize your fingerprint) but also increases the odds that a fake fingerprint might be considered genuine.
How different biometric authentication methods work
There are quite a few types of identifying a user by way of his own body. Below are the most popular biometric technologies that have made their way into user’s hands.
There are three types of fingerprint scanners: optical, capacitive and ultrasound.
- An optical scanner takes a photo of the finger, identifies the print pattern, and then compiles it into an identification code.
- A capacitive scanner works by measuring electrical signals sent from the finger to the scanner. Print ridges directly touch the scanner, sending electrical current, while the valleys between print ridges create air gaps. A capacitive scanner basically maps out these contact points and air gaps, resulting in an absolutely unique pattern. These are ones used in smartphones and laptops.
- Ultrasonic scanners will make their appearance in the newest generation of smartphones. Basically, these will emit ultrasounds that will reflect back into the scanner. Similar to a capacitive one, it forms a map of the finger unique to the individual.
How are your fingerprints stored?
Both Google and Apple store your fingerprint on the device itself and do not make a copy of it on their own servers.
Apple’s TouchID won’t store the actual image of the fingerprint, but a mathematical representation of it. So even if a malicious hacker reaches this mathematical representation, he cannot reverse engineer it to reveal an actual image of your fingerprint. Not only that, but the fingerprint data itself is encrypted.
Also, not even the device’s OS can access the fingerprint data directly, much less an app. Instead, there’s a gatekeeper security software called Secure Enclave that sits between the fingerprint data, and the program making the fingerprint scan request.
Android phones operate under similar guidelines. They store the fingerprint data in a secure part of the main processor called Trusted Execution Environment, or TEE for short. The TEE is isolated from other parts of the processor and doesn’t directly interact with installed apps.
Just as with Apple devices, fingerprint data is stored in an encrypted state. In addition, removing a user from the device should also delete any fingerprints stored on it.
Security researchers consider the eye as the most reliable body part for biometric authentication since it the retina and iris remains almost completely unchanged during a person’s life time.
- A retinal scan will illuminate the complex blood vessels in a person’s eye using infrared light, making them more visible than the surrounding tissue. Just like fingerprints, no two persons will ever have the same retinal pattern.
- Iris scanners rely on high-quality photos or videos of one or both irises of a person. Irises too are unique to the individual. However, iris scanners have proven to be easy to trick simply by using a high-quality photograph of the subject’s eyes or face.
How iris scanners work
When it comes to biometrics, the iris has several major advantages compared to a fingerprint:
- You don’t spread the information around every time you touch something.
- The iris stays virtually unchanged throughout a person’s life. A fingerprint, on the other hand, can be dirtied, scarred or eroded.
- You can’t use a fingerprint with dirty or sweaty hands. Irises, however, have no such problem.
The only major disadvantage of an iris scanner is that high-quality photos of your face or eyes can trick the scanner and unlock the device. Despite these limitations, the technology has made its way as a security feature in airports, banks, and other sensitive buildings. By now, newer phones have also started to incorporate the technology.
How it works. In the enrollment phase, the scanner will make a photograph of your iris using both normal light, as well as infrared light to capture details that wouldn’t be visible otherwise.
After the device records the person’s iris, it will remove any unnecessary details, such as eyelashes, and then transform the information into mathematical data and encrypt it.
During verification, an iris scanner will again emit infrared light to spot those hidden details. Because an iris scanner supplies its own light, it also works in low light or dark conditions.
Speaker recognition, unlike the voice based one, wants to identify who is talking, and not what is being said.
In order to identify the speaker, the specialized software will break down their words into packets of frequencies called formants. These packets of formants also include a user’s tone, and together they form his voice print.
Speaker recognition technology is either:
- Text dependent, meaning it unlocks after identifying certain words or phrases (think “Hey Alexa!” for the Amazon Echo).
- Text independent, where it tries to recognize the voice itself but ignores what is actually said.
Unlike other methods mentioned here, speaker recognition comes with a significant usability problem, since it’s easy for background noises to distort the person’s voice and make it unrecognizable.
When it comes to consumer devices, voice activation can come across as awkward (a.k.a. talking to Siri in the subway).
But the biggest issue with speech recognition is how easy it is to create a high-quality reproduction of a person’s voice. Even low-quality smartphones can accurately record a person’s voice, complete with inflections, tone, and accents.
Other biometric technologies
The methods above are the most well known and most popular, but not the only ones. Here are some other technologies:
1. Hand and finger geometry
While not as unique as prints or iris scanners, our hands are different enough from other people’s that they are a viable authentication method in certain cases.
A hand geometry scanner will measure palm thickness, finger length and width, knuckle distance and so on.
Advantages for this kind of system are cheapness, ease of use and unobtrusiveness. On the flip side, it does have a few major disadvantages: the hand of the size can vary over the time, health problems that might limit movements, and most importantly the lack of uniqueness.
2. Vein geometry
Our vein layout is completely unique and not even twins have the same vein geometry. In fact, the overall layout is different from hand one hand to another.
Veins have an added advantage since they are incredibly difficult to copy and steal because they are visible under tightly controlled circumstances.
A vein geometry scanner will light up the veins with near-infrared light, which makes your veins visible on the picture.
Advantages and disadvantages of biometric authentication vs passwords
Ultimately, biometrics are all about security. As a feature, their main competitor is the password (or PIN code, on occasion), so a comparison between the two will reveal both their flaws and weaknesses.
Advantage: Ease of use
A fingerprint or iris scan is much easier to use than a password, especially a long one. It only takes a second (if that) for the most modern smartphones to recognize a fingerprint and allow a user to access the phone. Ultrasound scanners will soon become common place, since manufacturers can place them directly behind the screen, without taking any extra real estate on a phone.
Voice recognition, on the other hand, is a bit iffier and background noises can easily scramble the process and render it ineoperable.
Disadvantage: You cannot revoke the fingerprint/iris/voice print remotely
A big disadvantage of biometric security is that a user cannot remotely alter them. If you lose access to an email, you can always initiate a remote recovery to help you regain control. During the process, you will be able to change your password or add two-factor authentication to double your account’s security.
Biometrics, however, don’t work like that. You have to be physically near the device to change its initial, secure data set.
A thief could steal your smartphone, create a fake finger, and then use it to unlock the phone at will. Unless you quickly locked your phone remotely, a thief would quickly steal every bit of information on the device.
Advantage: The malicious hacker has to be near you
The biggest advantage of biometrics is that a malicious hacker has to be in your physical proximity in order to collect the information required to bypass the login. This narrows down the circle of possible suspects in case your biometric lock is somehow bypassed.
The proximity also puts him at risk of getting caught red-handed, in a way that regular malicious hackers working from another continent cannot.
Disadvantage: “Master fingerprints” can trick many phones and scanners
When you first register a fingerprint, the device will ask you for multiple presses from different angles. These samples will then be used as the original data set to compare with subsequent unlock attempts.
However, smartphone sensors are small, so they often rely on partial matches of fingerprints.
Researchers have discovered that a set of 5 “master fingerprints” can exploit these partial matches, and open about 65% of devices.
The number is likely to go down in real life conditions, but an open rate of even 10% to 15% is huge and can expose millions of devices.
Disadvantage: Biometrics last a lifetime
You can always change your password if somebody learns it, but there’s no way to modify your iris, retina or fingerprint. Once somebody has a working copy of these, there’s not much you can do to stay safe, other than switching to passwords or using another finger.
In one of the biggest hacks ever, the US Office of Personnel Management leaked 5.6 million employee fingerprints. For the people involved, a part of their identity will always be compromised.
Disadvantage: Vulnerabilities in biometric authentication software
A couple of years ago, security researcher discovered weaknesses in Android devices that allowed them to remotely extract a user’s fingerprint, use backdoors in the software to hijack mobile payments or even install malware.
What’s more, they were able to do this remotely, without having physical access to the device.
Since then, patches have come for the vulnerabilities, but bug hunters are constantly on the hunt for new ones.
Hacking biometric encryption
Whitehat security researchers have proved time and again how to fool fingerprint or iris scanners. Here are just some of the methods they use.
Creating a fake finger (spoofing the fingerprint)
To open up a smartphone secured with a fingerprint, the attacker will first need to find a high-quality print, that contains a sufficient amount of specific patterns to open up the device.
Next, an attacker will lift the fingerprint, place it on a plastic laminate, and then cast a finger to fit this mold.
Once the malicious hacker creates the fake finger, all he has to do is to place it on the scanner, press with his finger to conduct electricity and then use the unlocked phone.
Tricking an iris scanner
For iris scanners, all it takes is taking a photo with a cheap camera in night mode, print the iris on paper, and then put a wet contact lens to mimic the roundness of the human eye, and that’s it.
Here’s a quick and dirty video that shows a security researcher bypassing this feature:
Hacking the biometric sensor and stealing the data
Another, more insidious method of obtaining the fingerprint data of a phone, and unlocking it, is to directly hack the part of the phone responsible for storing the information.
For iOS devices, this means breaking into the Secure Enclave. Technically, this is possible, but it is far beyond the scope of your average, day-to-day cyber criminal. The few confirmed hackings have been done by Cellebrite.
Still, the software and expertise might reach mass-market, and into the hands of script kiddies.
In the case of Android devices, researchers have proven it is possible to trick the Qualcomm provided Trusted Execution Environment by loading a customized app, which then runs a privilege escalation until it obtains greater access to the TEE.
Fortunately for us users, a cybercriminal would need considerable expertise to hack your phone in such a way.
Biometric security for mobile devices, such as smartphones and laptops
A fingerprint lock is useless if somebody steals your smartphone, and then simply lifts the print off the device.
Here are a few simple tips to help minimize the number of prints that are on your phone:
- Dress your phone with a fingerprint resistant or oleophobic cover and screen protector.
- Use a different finger other than your index or thumb.
- If convenience is not your primary concern, use both the fingerprint and the password/PIN lock. This is especially useful for sensitive business smartphones and laptops.
- If your laptop or other device supports it, use a fingerprint randomizer. In short, you register 2-3 fingerprints, and the lock screen will ask you provide a different finger each time you log in.
Biometric authentication has firmly expanded beyond its highly professional niche and arrived in the consumer mainstream. As the technology gets cheaper and more powerful, it will make its way even more into our lives.
Do you use any sort of biometric technology? How do you feel about it and how secure do you think is?