Biometric spoofing is a top concern among security professionals and identity access managers, judging by the number of people who asked John Spencer, Veridium’s chief product officer, and Ravin Sanjith, program director, at Opus Research, about this topic following a webinar on the underlying issues with using passwords for authentication. Multiple people wanted to know their thoughts on how attackers could fool Apple’s Face ID and Touch ID and Samsung’s iris recognition technology and what role behavioral biometrics plays in offering additional authentication.
In this blog, we answer that question and a few more commonly asked ones. For more on the security concerns around passwords and how biometric authentication can help alleviate them, check out the webinar.
My company wants to use SMS for authentication but NIST hasn’t approved it as an authentication method. What are your thoughts on mobile SMS?
Ravin: NIST deprecated the use of SMS probably 18 months to two years ago. Here’s why:
The first issue is that using these number-based challenge response methodologies — whether they’re done by a push notification or SMS — just involves matching data. This method does not confirm a person. One could argue that if the device belongs to the person, and the person has logged into the device, you could infer that it is the person, but that’s the problem. It is an inference.
The other reason is man-in-the-middle attacks. Man-in-the-middle malware can pick up all forms of communication. Even though the communication may be encrypted, there is a possibility that these one-time PINS by SMS can be intercepted. Actually, it’s been one of the strongest drivers of SIM-swap fraud because SIMS are swapped so that SMS can be re-directed to phones that are then used in the multifactor authentication space, where SMS is no longer as effective.
John: Using a token and a password, or using an SMS as an alternative to token, doesn’t definitively prove identity in the same way that a biometric does. It’s also costly. I met with a large U.K. bank that used SMS as a one-time password to authenticate their users. Using SMS cost the bank more than £11 million per year. It’s a hugely expensive operation to go through to add what, in essence, is actually weak security.
What is your perspective on people’s ability to spoof biometrics? And what are your thoughts on using behavioral technology to provide additional authentication?
Ravin: From a general market perspective, there’s always a way to spoof a particular biometric. There’s no perfect solution, and security architecture should never let just one modality grant access.
We always call for the use of multifactor authentication. So something you have, like your phone, and something you are, like your biometrics, and other analytics, like what you’re trying to do. Is it a transaction or a log-in? There is no silver bullet. It doesn’t matter what the modality is; it has to be multifactored and multi-layered.
John: From a security perspective, you’re right. As any biometric vendor on the planet will testify today, as soon as you release a biometric, you’ll have people who are obsessed with trying to break it, fool it and spoof it. Ultimately, if attackers put enough time, effort and money into that process, you’ll probably get to the point where you can spoof. We saw this with Apple Face ID. We saw Samsung’s iris scanner spoofed. Ultimately, you can be defeated. Biometric vendors, including Veridium, put liveness detection algorithms into our technology to try and defeat most of those attacks.
We’ve been very successful with that, but ultimately, we’re relying on computer vision technology and machine learning to differentiate between what’s real and what is fake. Veridium comes at this from a different angle. We’re adding a behavioral biometric layer into the technology. Not only will we take the explicit authentication of biometric, whether that’s my face or my fingerprint, we’ll have an implicit layer as well.
We’ve worked out there’s a consistent user behavior that is involved when using Veridium. It’s the angle at which you hold your phone, the speed at which you pick the phone up. We’re going to overlay explicit authentication with a behavioral implicit.
It’s a form of liveness detection, and almost impossible to spoof in three to four attempts, which is when people are typically locked out situation of our server. Bringing a behavioral capability to the authentication process is the next evolution of our biometric capabilities.
Using a smartphone for authentication was talked about a lot. But what if I don’t have my phone with me?
John: Veridium has a get-out-of-jail mechanism for enterprises to allow their users to access their devices in the event that they’ve lost either their phone or biometric. You’re not in a dead-end situation if you lose your phone or injure yourself.
With Veridium, you can involve more than one device, so it can be used with multiple mobile phones. We find that at a lot of organizations people have their personal phone and their work phone. In the scenario where you’ve lost your phone or left it in a taxi, the Veridium administrator can basically authenticate your session for you.