On Simple Sensors

This is a fun post about some ruminations on how one might utilize cheap, simple sensors to build a really secure multi-factor biometrics based authentication system. <insert IoT hype> The system relies on some simple biometrics that, taken alone, aren’t particularly that secure but taken as a whole pose quite the challenge to an attacker.

The crux of it is to just throw as many simple biometrics onto the system as possible, calibrate them all to vote conservatively about whether you’re the real you, and take the ensemble’s vote. Take as many or as few of these sensors as you like (depending on the system) and make them as accurate or hacky as you like. Sometimes its more secure to just add another sensor type to your system than to retrain your facial recognition models on another billion faces. Sensors are cheap nowadays; you could probably throw together some subset of these technologies together for ~$50 including compute and get a pretty secure system.

I’m relying here on some variation of the 80/20 rule; 80% of the benefit of a particular type of authentication comes from doing a 20% effort job. Even if 2/7 sensors don’t think it’s you, maybe you’re okay with that and have enough trust in the 5 to let the person in. Maybe you check for manual verification. Maybe you only ask for steps 3–7 if a person fails step 1 or 2. I don’t know, its your system so you decide the level of security you want.

It’s not unbreakable no doubt (what is?) But throw enough roadblocks in the way and it just isn’t worth it to break the system anymore.

I’ll talk about the example of securing a door (say, with a smart lock) but the techniques outlined apply just as well to any physical system needing securing. Maybe even digital ones with certain biometrics like typing speed or basic facial recognition. All of these sensors probably pass their data back to some server / Raspberry Pi / cloud architecture <insert serverless reference> for processing.

Sensor Types

  • Accelerometers

Stick an accelerometer on the floor or walls to track movements through vibration. Every person moves in a unique pattern

  • Cameras

Stick two super cheap cameras on either side of the door, pass the data back to the Pi / Cloud and run some robust AF facial recognition that prevent’s 2D screen captures of a face. Throw in another IR sensor to prevent spoofing the biometrics with a 3D printed head model and you’re good to go. Probably don’t need any of this other nonsense.

  • Microphones

Have the person say a sentence. It’s not a secret password, it can totally be a public phrase. But as in everything, each person’s voice is unique and the system can verify it’s you by the subtelties in your voice that are otherwise pretty hard to fake.

  • Bluetooth

Sure, have it watch for a bluetooth signal from your phone while it’s at it. Why not.

  • Fingerprint sensors

If we’re talking about biometrics, it’s tough to not talk about fingerprints. But I’m actually not a big fan of using fingerprints for this for the sole reason that once it’s been stolen it’s really gone forever. And it’s super easy to grab someone’s fingerprints; [this guy] grabbed fingerprints off of pictures on Facebook of a high enough quality to break a fingerprint scanner so GL. But if we’re throwing all the sensors we can at this door, it doesn’t hurt.

  • Keyboards

So yeah, having a password to type in on the door is great but passwords are easily broken and people are stupid and use easily cracked passwords. Instead of just relying on the password, by tracking the keystroke patterns themselves you derive a much more robust and secure biometric from the act of typing a password. Bonus points: they don’t have to rotate their password ever.

So yeah, in conclusion if you really want to secure something it might be better to throw a thousand small sensors at an attacker rather than one big, smart sensor. Not that it would be particularly easy to stick all of these sensors into a functioning system. But at least it simplifies the difficult scientific task of developing robust biometrics systems into the far more tractable engineering issue of getting many biometrics systems to work well in conjunction, in real time, without pissing off your customers.

Kudos to anyone who can mimic me including walking, talking, breathing, fingerprinted, and typing well enough to pass all of the above tests. Why are you breaking into my door instead of just taking over the world with your perfect robots?

Maybe I’ll put this together one weekend; if any of you do please shoot me a message I’d love to hear about it goes. Or if you have thoughts on the above leave a comment. Let me know how bad this is and that I should never ever do security. That’s ok too.