Biometric authentication has been billed as the technology that may eventually replace passwords. But the C-suite, security professionals, and rank-and-file employees all harbor different concerns about how biometrics are collected, stored and used. One of the biggest concerns is around biometric data being spoofed and used in presentation attacks.
People have grown accustomed to hearing how threat actors use stolen passwords to access a person’s other accounts. However, likening a fingerprint to a password is a false comparison. Inputting a password is simple and involves entering the characters through a keyboard. A biometric, in concept, needs to be entered through a biometric capture device, a process that isn’t as straightforward as typing on a keyboard.
Using a biometric takes work
Unlike passwords, biometric images are not entered directly. Instead, the stolen images would need to be converted into a spoof artifact that can be used with the specific image capture module. For instance, to pull off an attack using stolen fingerprints, an attacker would have to make molds of a person’s fingers. In other words, while using a stolen fingerprint to access an account is possible, this type of attack is not as simple to mount as ones that entail entering a stolen password.
Before implementing biometric recognition, organizations should determine if the risks associated with a presentation attack and determine if the effort involved in carrying out an attack is worth the “effort” and the “consequences” to the attacker.
“Effort” refers to the time, knowledge, and resources it takes to perform a presentation attack on a biometric system. The level of effort required to carry out this type of attack depends on the targeted biometric trait and is tied to the potential “consequences” of attacking the authentication system.
Not all biometrics are easy to spoof
Lifting an impression of a fingerprint from a surface requires more effort and skill than finding an image of person’s face. Getting fingerprints requires being in close proximity to a person. But getting an image of person’s face just requires using Google.
Meanwhile, the cost of launching a face spoof attack, which involves either using a printed photo, displayed photo, or replayed video, is relatively low compared to manufacturing spoof fingers using molds or putty. There is also the risk of having an evil twin, but this is considered as a zero-effort attack, not a presentation attack.
People can aid or hinder a presentation attack’s success
In some cases, people cooperate with the attacker if they benefit from the consequence of the activity. For example, a Brazilian doctor used fake fingers made of silicone to sign in absent colleagues. Although fingerprints are harder to spoof than a face, having the people whose biometrics were spoofed cooperate with the perpetrator reduced the effort needed to fool the system.
On the other hand, if an attack will negatively impact a person, such as having money stolen, users will not cooperate with the threat actor and do their best to protect their biometric by not sharing them and securely storing this data. With the user and attacker on opposite sides, the threat actors will need to invest a substantial amount of effort to pull off a presentation attack.
So before likening a biometric to a password, remember the amount of work required to use each one in an attack. To use a stolen password, threat actors just need a keyboard. To use a biometric, they need to first acquire the data, spoof it and then fool the biometric capture device, a process that isn’t as easy as typing a birthday or your pet’s name on a keyboard.
Asem Otham is Veridium’s Team Lead, Biometric Science. This post previously appeared in Biometric Update.