Biometric Authentication Overview, Advantages & Disadvantages

Heimdal Security
14 min readJan 12, 2018

--

Biometric authentication is simply the process of verifying your identity using your measurements or other unique characteristics of your body, then logging you in a service, an app, a device and so on. What’s complicated is the technology behind it, so let’s see how it works.

To understand it better, just know that biometrics is the name for any type of body measurements and calculations. Biometric identification verifies you are you based on your body measurements. Biometric authentication goes one step further and uses that information to compare you against a database and enters your information in a service.

Think of it like this: biometric identification is like a neighbor who looks through the peeping hole at the 2 people who just rung the bell. The neighbor decides which one of them is Dave based on height, hair color, eye color and so on.
Biometric authentication is the neighbor who looks through the peeping hole to see who is calling the door. If it’s Dave, the neighbor lets him in.
If it’s not Dave, the door remains shut.

This is just the simplified explanation for biometric authentication but stay tuned!

Here’s what we will cover in this extensive explanation of biometric authentication, a fascinating technology with significant adoption in the present and huge potential in the future.

How biometric authentication works

Biometric authentication works by comparing two sets of data: the first one is preset by the owner of the device, while the second one belongs to a device visitor. If the two data are nearly identical, the device knows that “visitor” and “owner” are one and the same, and gives access to the person.

The important thing to note is that the match between the two data sets has to be nearly identical but not exactly identical. This is because it’s close to impossible for 2 biometric data to match 100%. For instance, you might have a slightly sweaty finger or a tiny, tiny scar that changes the print pattern.

Designing the process so that it doesn’t require an exact match greatly diminishes the chance of a false negative (the device doesn’t recognize your fingerprint) but also increases the odds that a fake fingerprint might be considered genuine.

Popular biometric authentication

There are quite a few types of identifying a user by way of his own body. Below are the most popular biometric technologies that have made their way into users’ hands.

Fingerprint Scanners and how they are stored

There are three types of fingerprint scanners: optical, capacitive and ultrasound.

  • An optical scanner takes a photo of the finger, identifies the print pattern, and then compiles it into an identification code.

Source

  • A capacitive scanner works by measuring electrical signals sent from the finger to the scanner. Print ridges directly touch the scanner, sending electrical current, while the valleys between print ridges create air gaps. A capacitive scanner basically maps out these contact points and air gaps, resulting in an absolutely unique pattern. These are ones used in smartphones and laptops.
  • Ultrasonic scanners will make their appearance in the newest generation of smartphones. Basically, these will emit ultrasounds that will reflect back into the scanner. Similar to a capacitive one, it forms a map of the finger unique to the individual.

How are your fingerprints stored?

Both Google and Apple store your fingerprint on the device itself and do not make a copy of it on their own servers.

Apple’s TouchID won’t store the actual image of the fingerprint, but a mathematical representation of it. So even if a malicious hacker reaches this mathematical representation, he cannot reverse engineer it to reveal an actual image of your fingerprint. Not only that, but the fingerprint data itself is encrypted.

As this security researcher pointed out, TouchID can be hacked but it’s still an extremely safe method of biometric authentication. For someone to hack an iPhone using TouchID sensors, they would need a really good copy of someone’s fingerprint. This will get them access to your unlocked phone, but not to a copy of your fingerprint, so it differs from stealing a password.

Source

Also, not even the device’s OS can access the fingerprint data directly, much less an app. Instead, there’s a gatekeeper security software called Secure Enclave that sits between the fingerprint data, and the program making the fingerprint scan request.

Android phones operate under similar guidelines. They store the fingerprint data in a secure part of the main processor called Trusted Execution Environment, or TEE for short. The TEE is isolated from other parts of the processor and doesn’t directly interact with installed apps.

Just as with Apple devices, fingerprint data is stored in an encrypted state. In addition, removing a user from the device should also delete any fingerprints stored on it.

While Apple has moved away from fingerprint scanning authentication and replaced TouchID with FaceID, other companies still rely on it.

Indeed, in 2018, a lot of smartphone developers are aiming to incorporate fingerprint scanners in the screen itself. Vivo is the first one to market such a device. The Vivo phone has a Synaptic CMOS sensor, a small camera, taped to the back of the OLED panel. Whenever the OLED screen lights up, it also illuminates your fingerprint, which the sensor sees and then compares it to the info already stored. For users, the result is a seamless experience: simply touch the screen with your finger and your phone will unlock.

Eye scanners

Security researchers consider the eye as one of the most reliable body parts for biometric authentication since it the retina and iris remains almost completely unchanged during a person’s lifetime.

  • A retinal scan will illuminate the complex blood vessels in a person’s eye using infrared light, making them more visible than the surrounding tissue. Just like fingerprints, no two persons will ever have the same retinal pattern.

Source

  • Iris scanners rely on high-quality photos or videos of one or both irises of a person. Irises too are unique to the individual. However, iris scanners have proven to be easy to trick simply by using a high-quality photograph of the subject’s eyes or face.

How iris scanners work

When it comes to biometrics, the iris has several major advantages compared to a fingerprint:

  • You don’t spread the information around every time you touch something.
  • The iris stays virtually unchanged throughout a person’s life. A fingerprint, on the other hand, can be dirtied, scarred or eroded.
  • You can’t use a fingerprint with dirty or sweaty hands. Irises, however, have no such problem.

The only major disadvantage of an iris scanner is that high-quality photos of your face or eyes can trick the scanner and unlock the device.

Source

Despite these limitations, the technology has made its way as a security feature in airports, banks, and other sensitive buildings. Of course, just like with other security measures, it’s used in conjunction with multiple authentication technologies.

How it works. In the enrollment phase, the scanner will make a photograph of your iris using both normal light, as well as infrared light to capture details that wouldn’t be visible otherwise.

After the device records the person’s iris, it will remove any unnecessary details, such as eyelashes, and then transform the information into mathematical data and encrypt it.

During verification, an iris scanner will again emit infrared light to spot those hidden details. Because an iris scanner supplies its own light, it also works in low light or dark conditions.

Speaker recognition

Speaker recognition, unlike voice recognition, wants to identify who is talking, and not what is being said.

Source

In order to identify the speaker, the specialized software will break down their words into packets of frequencies called formants. These packets of formants also include a user’s tone, and together they form his voice print.

Speaker recognition technology is either:

  • Text-dependent, meaning it unlocks after identifying certain words or phrases (think “Hey Alexa!” for the Amazon Echo).
  • Text-independent, where it tries to recognize the voice itself but ignores what is actually said.

Unlike other methods mentioned here, speaker recognition comes with a significant usability problem, since it’s easy for background noises to distort the person’s voice and make it unrecognizable.

When it comes to consumer devices, voice activation can come across as awkward (a.k.a. talking to Siri in the subway).

But the biggest issue with speech recognition is how easy it is to create a high-quality reproduction of a person’s voice. Even low-quality smartphones can accurately record a person’s voice, complete with inflections, tone, and accents.

This hasn’t stopped speaker recognition and similar technologies from gaining mainstream adoption. Just look at the success of Amazon Echo, Google Home, and other voice controlled speakers integrated into a lot of smart homes. What do you get when you combine an Amazon Alexa with an Amazon Key that unlocks your home to couriers when you’re at work?

It’s an amazing biometric authentication experience for users. At the same time, it’s a security risk of nightmare proportions.

We don’t mean just biometric authentication exploits, but “classic” hacker methods as well. Rhino Security Labs demonstrated just how to attack Amazon Key via WiFi so the camera is blind to whoever would enter your home.

We covered the risk of using IoT devices and we explained how to secure them here. In this guide, you’ll find the best ways to protect your home wireless network. But let’s return to biometric authentication types and how they work because we’ll later explain how their advantages and disadvantages.

Other biometric technologies

The methods above are the most well known and most popular, but not the only ones. Here are some other technologies:

Facial recognition systems

Generally speaking, facial recognition systems approach biometric authentication from a lot of angles.

Source

The classic way is to simply extract your face’s features from an image (eyes, nose, distance between your lips and your nose etc) and compare them to other images to find a match.

Through skin texture analysis, your unique lines, beauty marks, wrinkles and so on are turned into a mathematical space, which is then compared to other images.

Both of them can be easily fooled with makeup, masks or, in some cases, simply obstructing part of your face. This is where thermal imagery and other technologies stepped up the game until we got to this point — that of widespread adoption of systems like the Apple FaceID.

The iPhone FaceID uses more than 30,000 infrared dots to map your face, then creates essentially a 3D map of your features. This map, like Touch ID, is sent to the Secure Enclave in the CPU to be compared with the one already stored on the device. The result? Your phone is unlocked just by looking at it.

In the marketing materials, Apple said there is a 1 in a million chance for someone else to unlock an iPhone using FaceID. Of course, that just sounded like a challenge for security experts. A researcher from Vietnam fooled FaceID with a 3D printed mask made from silicone and paper tape.

2. Hand and finger geometry

While not as unique as prints, iris scanners or tridimensional face maps, our hands are different enough from other people’s. That makes them a viable authentication method in certain cases.

Source

A hand geometry scanner will measure palm thickness, finger length and width, knuckle distance and so on.

Advantages of this kind of system are cheapness, ease of use and unobtrusiveness. It also has a few major disadvantages. A hand’s size can vary over the time. Health problems might limit movements. More importantly, a hand is not that unique, so the system has low accuracy.

Source

2. Vein geometry

Our vein layout is completely unique and not even twins have the same vein geometry. In fact, the overall layout is different from hand one hand to another.

Veins have an added advantage since they are incredibly difficult to copy and steal because they are visible under tightly controlled circumstances.

A vein geometry scanner will light up the veins with near-infrared light, which makes your veins visible on the picture.

Source

Advantages and disadvantages of biometric authentication

Ultimately, biometric authentication techniques are all about security. As a feature, their main competitor is the password (or PIN code, on occasion), so a comparison between the two will reveal both their flaws and weaknesses. Let’s see.

Advantage: Ease of use

A fingerprint or iris scan is much easier to use than a password, especially a long one. It only takes a second (if that) for the most modern smartphones to recognize a fingerprint and allow a user to access the phone. Ultrasound scanners will soon become commonplace, since manufacturers can place them directly behind the screen, without taking any extra real estate on a phone.

Voice recognition, on the other hand, is a bit iffier and background noises can easily scramble the process and render it inoperable.

Disadvantage: You cannot revoke the fingerprint/iris/voice print remotely

A big disadvantage of biometric security is that a user cannot remotely alter them. If you lose access to an email, you can always initiate a remote recovery to help you regain control. During the process, you will be able to change your password or add two-factor authentication to double your account’s security.

Biometrics, however, don’t work like that. You have to be physically near the device to change its initial, secure data set.

A thief could steal your smartphone, create a fake finger, and then use it to unlock the phone at will. Unless you quickly locked your phone remotely, a thief would quickly steal every bit of information on the device.

Advantage: The malicious hacker has to be near you

The biggest advantage of biometrics is that a malicious hacker has to be in your physical proximity in order to collect the information required to bypass the login.

Source

This narrows down the circle of possible suspects in case your biometric lock is somehow bypassed.

The proximity also puts him at risk of getting caught red-handed, in a way that regular malicious hackers working from another continent cannot.

Disadvantage: “Master fingerprints” can trick many phones and scanners

When you first register a fingerprint, the device will ask you for multiple presses from different angles. These samples will then be used as the original data set to compare with subsequent unlock attempts.

However, smartphone sensors are small, so they often rely on partial matches of fingerprints.

Researchers have discovered that a set of 5 “master fingerprints” can exploit these partial matches, and open about 65% of devices.

The number is likely to go down in real life conditions, but an open rate of even 10% to 15% is huge and can expose millions of devices.

Disadvantage: Biometrics last a lifetime

You can always change your password if somebody learns it, but there’s no way to modify your iris, retina or fingerprint. Once somebody has a working copy of these, there’s not much you can do to stay safe, other than switching to passwords or using another finger.

In one of the biggest hacks ever, the US Office of Personnel Management leaked 5.6 million employee fingerprints. For the people involved, a part of their identity will always be compromised.

Disadvantage: Vulnerabilities in biometric authentication software

A couple of years ago, security researchers discovered weaknesses in Android devices that allowed them to remotely extract a user’s fingerprint, use backdoors in the software to hijack mobile payments or even install malware.

What’s more, they were able to do this remotely, without having physical access to the device.

Since then, patches have come for the vulnerabilities, but bug hunters are constantly on the hunt for new ones.

Hacking methods

Whitehat security researchers have proved time and again how to fool fingerprint or iris scanners. Here are just some of the methods they use.

Creating a fake finger (spoofing the fingerprint)

To open up a smartphone secured with a fingerprint, the attacker will first need to find a high-quality print, that contains a sufficient amount of specific patterns to open up the device.

Next, an attacker will lift the fingerprint, place it on a plastic laminate, and then cast a finger to fit this mold.

Source

Once the malicious hacker creates the fake finger, all he has to do is to place it on the scanner, press with his finger to conduct electricity and then use the unlocked phone.

Tricking an iris scanner

For some iris scanners, all it takes is taking a photo with a cheap camera in night mode, print the iris on paper, and then putting a wet contact lens to mimic the roundness of the human eye.

Hacking the biometric sensor and stealing the data

Another, more insidious method of obtaining the fingerprint data of a phone, and unlocking it, is to directly hack the part of the phone responsible for storing the information.

For iOS devices, this means breaking into the Secure Enclave. Technically, this is possible, but it is far beyond the scope of your average, day-to-day cyber criminal. The few confirmed hackings have been done by Cellebrite.

Still, the software and expertise might reach mass-market, and into the hands of script kiddies.

In the case of Android devices, researchers have proven it is possible to trick the Qualcomm provided Trusted Execution Environment by loading a customized app, which then runs a privilege escalation until it obtains greater access to the TEE.

Fortunately for us users, a cybercriminal would need considerable expertise to hack your phone in such a way.

Biometric security for mobile devices, such as smartphones and laptops

A fingerprint lock is useless if somebody steals your smartphone, and then simply lifts the print off from the device.

Source

How to secure smartphone/laptop fingerprint readers

Here are a few simple tips to help minimize the number of prints that are on your phone:

  • Dress your phone with a fingerprint-resistant or oleophobic cover and screen protector.
  • Use a different finger other than your index or thumb.
  • If convenience is not your primary concern, use both the fingerprint and the password/PIN lock. This is especially useful for sensitive business smartphones and laptops. Here is a comprehensive guide for your smartphone security, and we compiled the best password tips here.
  • If your laptop or other device supports it, use a fingerprint randomizer. In short, you register 2–3 fingerprints, and the lock screen will ask you provide a different finger each time you log in.

Here are a few tips to prevent thieves from stealing fingerprints off your smartphone

CLICK TO TWEET

Conclusion

Biometric authentication has strongly expanded in the last few years, with more and more consumers relying on it and even demanding for it.

Do you use any sort of biometric technology? How do you feel about it, especially in government’s hands, and how secure do you think is?

Originally published at heimdalsecurity.com on January 12, 2018.

--

--

Heimdal Security

Online criminals hate us. We protect you from attacks that antivirus can’t block.