Man passing biometric identification with fingerprint scanner
The Biometric Threat by Ned Hayes, General Manager at SureID

The Biometric Threat

In a recent survey, a majority of consumers told IBM that they’re comfortable using biometrics, and 87% even said they’d be comfortable using biometrics as their only authentication means in the future. Millennials proved the most at ease with new tech, with 75% reporting that using biometric identifiers was not a problem for them. Biometrics are the future, and the future is headed our way fast.

In fact, biometrics have already become a part of our daily lives. If your fingertip unlocked your phone so you could read this article, you just used biometrics to verify your identity. We use all sorts of methods to prove we are who we say, from passwords to PINs to security tokens, but no method has grown faster than biometrics. The technology has begun to replace document-based IDs (such as driver’s licenses and the pass cards used to access secure buildings) as well as the username/password dynamic many of us have had a conflicted relationship with for years.

Background checks are also a hot new territory for biometric identity. You can enroll your biometrics through several nationwide systems to instantly prove your identity. FBI channelers use biometrics to pull up a criminal background check, often in a matter of minutes. If you’ve endured the awkwardness of job-related drug testing, imagine a new paradigm where a biometric scan of tiny droplets of sweat on your fingertip can provide an on-the-spot drug test in minutes.

Can biometrics be hacked?

How challenging would it be for a hacker to crack your password? If someone could, for example, combine your email address with your pet’s name and the year you were born to gain access to one (or many) of your accounts, you’re vulnerable to a security breach. Truth is, the username/password system is archaic and easily broken. We’ve stepped up our game by adding things like security tokens, but even those systems aren’t immune to hacking, especially when consumers skip using them because they feel they’re too much of a hassle.

When it comes to proving our identity, there’s no doubt that biometrics are more convenient, but are they truly more secure? Although biometric identity systems are harder to break, things like masks and false faces can sometimes fool facial recognition systems. Fingerprinting has its issues, too. Philip Bontrager, lead researcher on a team at NYU, used machine learning to create a fingerprint that combined the characteristics of many fingerprints into one fake master print to fool them all. He called his hack the DeepMasterPrint. Bontrager discovered that his master fingerprint could log into devices with only a single authentication routine, such as a smartphone, tablet, or even your home security system.  In other words, he proved that fingerprints are hackable.

The predictable security cold war pattern

If you look at the history of hackers breaking what we believed to be relatively secure systems, you’ll notice a distinct pattern to the security cold war. It looks something like this:

  1. A security system is broken through some complicated exploit. Academics figure out and explain how the hackers pulled it off.
  2. Security experts devise solutions to the hack and release details on the hack and the fix to business and public sectors, who largely ignore the fix.
  3. Nefarious actors pull off a general attack on the systems that haven’t been updated with the fix. This sort of thing might be done by rogue states (*cough* Russia) or by hackers who hold systems for ransom.
  4. Security professionals respond, but the horse has often left the barn by the time they do. Script kiddies pick up the hack and use it at scale to steal whatever they want.
  5. New, more complicated solutions force the fix to be in place for new systems, and the hack is prevented from ever existing again … except now the ultra-secure systems we use are unduly complicated, so people avoid using the ultra-secure systems, which leads to lower security across the board.

This pattern has played out time and again across different security systems. Right now, we’re at stage one with biometrics. We’ve seen that biometrics can be hacked, and we’ve begun to analyze how that happens.

You might see me as participating in step two – I’m one of the security experts offering a set of solutions. If people don’t ignore the fixes I suggest, it’s a lot less likely we’ll see a world where stages three through five become possible. Three critical behaviors can mitigate the threat of new biometric exploits and vulnerabilities, and organizations that require secure identification and authentication would do well to take note.

How to mitigate the biometric hacking threat

Fix #1: Enroll at high fidelity

High-security authentication can’t happen with single low-fidelity biometric scans (for example, those used by smartphones.) For the highest security, it’s crucial to enroll multiple fingerprints through a high-fidelity mechanism like those used by certified FBI channelers, groups of companies that employ a much higher standard than those exploited by the DeepMasterPrint hack.

The high-fidelity requirement also applies to access and identity systems that use facial geometry and iris scans. The more data points the system uses to identify an individual, the less likely it is to be easily circumvented by exploits like false faces.

Fix #2: Use multi-factor biometric solution

If you want even greater security, use a system that enrolls more than one type of biometric factors, like a one-two combo of fingerprints and facial recognition. If the fingerprints match the face, and the face matches the documents, you have yourself a multi-factor identity that’s extremely difficult to hack.

A single finger on a pad or a face scanned by a camera should never be enough to grant access to high-security software, devices, and facilities. Biometric equipment is becoming more cost-effective and using multiple points of biometric identification for secure access should be a no-brainer.

Fix #3: Put a human in the loop

People are the ultimate biometric-checking devices. Machine learning and AI are still vulnerable to errors, but having a person check identity in real-time increases security and adds accountability. Someone might fool a facial scanner by wearing a mask, but it’s unlikely they’ll get past a human at a security checkpoint.

The future of biometric hacks

It’s a common path: any security technology is prone to exploits in its early stages of deployment. But there are ways to ensure that biometrics don’t veer down that road if we take comprehensive steps to mitigate hacking while the tech is in its infancy.

That’s because biometrics are a whole different game when it comes to identity proofing, and it would be magnitudes harder for hackers to replicate and deploy biometric exploits on a large scale. Check any news cycle and you’ll see that hackers take joy in cracking the most secure password-authenticated systems. But creating fake fingertips, irises, or faces for every human being on Earth? Now, that’s an astronomically hard problem. When we combine multi-factor identity, high-fidelity enrollment, and human security points, biometrics are safeguarded against hacks in a way that’s virtually foolproof.