Forge You: Do We Have To Trust Biometric Authentication

Everyday millions of computers solve the same problem; these machines try to check if you are actually you and not some other person. The most popular tool to do that

Everyday millions of computers solve the same problem; these machines try to check if you are actually you and not some other person. The most popular tool to do that is password checking. But it’s quite easy to steal a password as well as forget it. Problems with passwords highlight the need for another system of user identification. A very simple and appealing solution is biometric authentication, which allows a user to place his finger on top of a scanner, look at the camera or say a passphrase. Your fingers, your eyes and voice are always with you, right? And others people cannot imitate this. Unfortunately, this appealing idea has numerous cons and that is the reason why we don’t still use fingerprints to login to Google or withdraw cash from an ATM.


I will cover some issues in detail, but let’s start with a brief summary: it’s almost impossible to change your “password” and it’s quite challenging to implement truly secure encryption based on a biometric “password.” When going from concept-level to real-life implementation, you can’t help but notice an obvious and extremely important problem – it’s possible to forge most biometric characteristics using simple and affordable tools.



The major difference of any biometric authentication from an ordinary password-based one is the absence of a perfect match between the original (master) sample and the sample being checked. You simply can’t obtain two fully identical fingerprints of the same finger. It becomes even more troublesome when you try to match faces. Face characteristics might become different or just unreadable depending on lighting conditions, time of the day, presence of glasses, beards, bloodshot eyes, make-up, to say nothing about natural aging. Voice is also affected by numerous factors, e.g. the flu. In these conditions it’s extremely difficult to build a system that is able to accept the legitimate owner all the time and never admit strangers.

To solve this problem, each biometric system tries to clean the scanned sample of noise, effectively leaving only characteristic features acceptable for mathematical comparison. Nevertheless, even this “skeleton” should be matched with the original in terms of probability. For medium security systems, it’s assumed normal to admit a stranger once in 10,000 tries and block the legitimate user once in 50 cases. When it comes to mobile platforms, unstable external conditions, e.g. lighting and vibration dramatically increase the error rate, that’s why Android facial recognition fails in 30-40% cases.


A password for a lifetime

If you forgot your password or it has been stolen, you can change it. If you lost your keys, you can change a door lock. But what could you do, if your bank account is “locked” using the image of your palm as some banks in Brazil or Japan do, and this database of palm prints was stolen?

There will be a fingerprint scanner in the new iPhone while Android will use facial recognition to unlock. Is this protection worth your trust?

It’s extremely challenging to change your palm. Even if palm forgery technology doesn’t exist today, no one can guarantee it won’t emerge in five or ten years.

This fundamental problem might be partially solved with fingerprints – you can enroll only 2-4 fingers instead of 10, so there will be some ability to change the password. But this supply is quite short, probably too short considering a lifetime. Online account hacks happen just too often, so it’s a little bit scary to trust them with precious biometric information. The fact that most services store just a “skeleton,” a biometric derivative, doesn’t really make things easier – numerous studies have proven that it’s possible to rebuild, e.g. a fingerprint, that won’t be identical to original one, but still able to pass the check.


In addition, online biometric authentication raises privacy concerns. A biometric “password” clearly identifies you as you and it becomes impossible to have two separate accounts on the same social network – a site has enough tools to figure out that it’s the same person. Strictly speaking, hundreds or even thousands of users might have practically indistinguishable biometric features. But with help of a Geo-IP and other metadata that accompanies user requests, it’s well possible to set up completely unique user profiles for each user. If someone manages to implement biometric authentication on every popular web service, online user tracking will be a piece of cake.


A digital locker

Primarily, usage of passwords and, potentially, biometrics can assist to restrict access to various devices and services. Secondly, it can help restrict access to data that is stored on the device. However, it is difficult to utilize biometric features in the second case.

When you put your documents in a safety box with a fingerprint-based door lock, the box walls protect your data. You would have to use a powerful drill to overtake the fingerprint-scanning lock. If you access control of a computer, it’s ridiculously easy to avoid any check, so the computer equivalent of those steel walls is encryption. When you encrypt something with a password, a special encryption key is generated using your password. If you change only one character of the password, the encryption key will be totally different and useless. But a biometric “password” is slightly different on each access request, so it’s very complicated to directly use it for encryption. That’s why existing mass market “digital lockers” rely on cloud-based help – biometric matching happens on the server side, and, if successful, the server provides the decryption key to the client. Of course, that poses a significant risk of a massive data leak – a server hack might lead to the compromising of both encryption keys and biometric data.


Biometrics IRL

Leaving aside sci-fi movies and military developments, we can think of two cases of automatic biometric authentication you might encounter. There are trials being run in some banks – they might use palm scans on ATMs as well as voice authentication on phone-based service desks. The second type of biometrics is embedded scanners in consumer electronics, typically laptops and smartphones. The front camera might be used for facial detection and a sensor that can recognize fingerprints. A couple of systems also utilize voice authentication. In addition to the aforementioned general problems of biometrics, those consumer-grade implementations have limits, imposed by such constraints as CPU power, sensor price and physical dimensions. To deal with these constraints developers must sacrifice system security and robustness. That’s why it’s easy to fool some scanners with a wet paper with fingerprints generated using an ordinary printer or gelatin cast. And when it comes to gaining profits, fraudsters might produce a convenient fake finger – criminal schemes involving such tools already exist. On the other hand, legitimate users often try to swipe their fingers multiple times to have their access granted – most sensors might fail if a finger is wet, covered with lotion, slightly unclean or has scratches or burns.


Facial recognition systems are rarely able to distinguish real faces from photos (although there is a workaround if the system has a liveliness check, e.g. requires blinking). But when using facial recognition to unlock your mobile device, programs are often already sensitive to lighting conditions and the overall environment that you don’t want to make things worse by enabling extra checks. And you must have a backup – an old password – otherwise you won’t be able to unlock your device in the dark.

Most developers of voice authentication systems say that they are able to detect fakes – both recordings and impersonators. In fact, only the most powerful systems perform all required computational-heavy checks, and some researchers say that voice alteration software might fool authentication systems in 17% of the time. It’s complicated to implement full, real time analysis on a mobile device, so it requires help from the cloud, but cloud-based authentication is slower, depends on internet connection quality (and mere existence) and is prone to additional attacks like man-in-the-middle. By the way, an MITM attack is especially dangerous for voice authentication systems, because it is much easier to obtain voice samples than other biometric samples.

This combination of practical inconveniences for legitimate users and insufficient security prevents biometric authentication from becoming a standard in mobile device security, replacing traditional passwords and electronic tokens. Secure and reliable identity checks using biometrics is now possible only in controlled conditions, i.e. in a border control booth in an airport or security checkpoints at an office entrance.