Biometric security frequent psychic has become a mainstream norm of authentication and login security. It’s convenient unique and user-friendly but it also could be the most stupid security token you could use.
Consider this if somebody steals your password all you need to do to secure your account is to change the password but what if somebody steals your fingerprint?
You leave your fingerprint everywhere you can’t change it and yet you’re encouraged to use it as a security token. When it comes to pure entropy, fingerprints or facial recognition can generate a stronger security key than a bad password. The problem is that if someone has a bad password practice you can teach them to do better but you can’t change their face.
The whole promise of biometric security stands and falls on how easy it is to replicate and abuse biometric models and the short answer is it’s a cat-and-mouse game. In the long, enough timeline someone will be able to recreate a copy of your face or fingerprints that works just fine enough to fool authenticating systems.
Once your biometric data is compromised it affects all applications at once and you will be affected for the rest of your life. Enterprise-level multi-factor biometric systems could improve the security of the premises but consumer-grade biometric authentication is more of a convenience measure than a security enhancement.
When Apple first released touch ID for iPhone in 2013 it was touted as the next step in the evolution of secure authentication. In just 24 hours hackers found a cheap solution to break it. A photograph of your fingerprint taken from a glass surface such as a very iPhone is enough to recreate a replica that Apple’s Touch ID would accept as a genuine fingerprint. This whole process takes about 30 minutes.
Now may think this still reduces your attack surface because hackers have to get physical access to your device and a fingerprint but boy is it way worse than that even just a high-resolution photo of your hands will give hackers enough data to construct a fake fingerprint.
A German hacker was able to use press photographs of Germany’s defense minister to duplicate her fingerprints and a quick scan of their photos posted all over social media may give hackers exactly what I need to achieve that.
Now before you start scrolling through your social media to delete any photo that has your fingertips facing the camera let me reassure you that it’s already too late. Your fingerprint may be all over the Internet and there’s nothing you can do about it. You have to remind yourself that your phone isn’t the only thing that has your fingerprint. Your biometric data is most likely stored on multiple databases that often act as lucrative targets for hackers.
Kaspersky found that up to a third of biometric systems that store biometric data were targeted by malware attacks. Further analysis showed there is an emerging market for mass-distributed malware aimed at stealing biometric models from banks and financial systems.
If you’re rich or dumb you probably spend a thousand dollars on an iPhone with Face ID and face ID is ten times better than touch ID because there is an aliveness detector and you’re not going around slamming your face all over the place.
You believe the full sense of security Apple gives you by claiming your facial recognition data is only stored on your iPhone. Granted.
Apple face ID is among the most secure facial authentication systems available for consumers but your iPhone is not the only device that can scan your face. Facial recognition can be used anywhere without your consent.
Taylor Swift used a kiosk that showed a rehearsal of her clips to entertain fans as a disguise of its true purpose to use facial recognition to identify her stalker. Facial recognition is used by advertisers in public places were banners and posters can be used to identify you and even link to your social media accounts.
As you are stomping around from one foot to another on a bus stop facial recognition banner can get detailed scans of your face from all angles more than enough to craft a perfect copy of your face. Even Vimeo a video hosting site was sued for allegedly using people’s facial biometrics and storing this data taken from their videos without their consent.
And you could easily be socially engineered into rotating your face in front of a hidden camera while staring into banners somewhere in a mall right next to an Apple Store.
Hackers are very patient people in cybercrime is a multi-trillion dollar business. Your facial biometrics is a lucrative target.
Apple’s Face ID security is majestically falling apart as researchers and hackers get crafty in tricking face ID through the use of 3d printing of facial models in VR systems to perform facial animation.
Hackers can make masks that look hideous to the human eye but they’re good-looking enough to fool face ID and if you are on a budget Android phone using some sort of face unlock the situation is even worse for you.
The price tag of the true depth 3d sensor used in iPhone 10 it’s $60 per unit this is prohibitively costly for budget Android vendors so the defaults much less secure mechanisms that are even easier to food an apple face ID.
In the age of social media surveillance cameras and algorithmic marketing, your face is virtually everywhere and the biometric data generated from it is stored in remote data centers with pathetic security the breach is not a matter of if but when in 2015 the US Office of Personnel Management suffered a severe cyberattack were fingerprints of 5.6 million people associated with the US government were stolen.
In the UK fingerprints and facial recognition data of more than a million people has been found on a publicly available database in an unencrypted form in an unsophisticated attack vector researchers were able to access a total of 27 point eight million records filled with biometric information and login credentials. Among the most luring targets of profit-seeking hackers are major airliners in cooperation with airport security and border control.
Airlines also rely on facial recognition to facilitate the process of travel and boarding. The convenience comes at the price of security Cathay Pacific Bridge exposed data of nine point four million customers in 2018. While British Airways a record-breaking fine of 183 million pounds but the European Union for exposing the passport, credit card, and other personal details of 500,000 customers.
On top of that biometric security will always be susceptible to false rejection rate and false acceptance rate. In the former, you might downgrade the less secure authentication mechanism to bypass the faulty recognition system.
Most phones with fingerprint sensors or face features including iPhone offer a backup solution to unlock your phone through a pin or passcode which means your phone is only as secure as the secondary unlocking mechanism. Which for most non-security-minded people is not secure at all.
False positives among family relatives including twins parents and their children and siblings are not uncommon and significantly increases your attack surface. Your close relatives may share just enough similarities in their faces to confuse facial recognition.
On the other hand, they all might be using different pins or pest codes that are not known to one another. Unlike passwords, biometric data will always have a greater than zero probability of false negatives and false positives.
At the end of the day, biometrics is just a long password, and just like long passwords, it can be eventually brute force. The best use of your biometrics is as part of multi-factor authentication where you have to enter something you know something you have and something you are. No modern smartphones are offering this level of protection.
Security tokens such as authentication USB keys from Subiaco or nitro key are still the most secure way of authentication because for as much as we know they are the least replicable if at all. For device encryption, the long-established device still prevails the longer the passphrase the stronger the security of the encryption key.
In many jurisdictions, the police may unlock your phone by forcefully using your fingers or your face but in the U.S you can invoke the Fifth Amendment to refuse to give out your password because you can’t be compelled in any criminal case to be a witness against yourself.
As of right now biometric security as a one-off authentication event isn’t going to be more secure than a strong passphrase or multi-factor authentication. It truly secures a biometric implementation would be a continuous pattern recognition that constantly scans our behavior, gate keystrokes movement, voice, as well as face and fingerprints.
I am ending with a quote from the German hacker group that broke Apple’s Touch ID in 24 hours.
“It is plain stupid to use something that you can’t change that you leave everywhere every day is a security token.”