Authentication in and outside of computing can be done in one of three ways. It can be based on something you know, such as a password. It can be based on something you have, such as a keycard. Or it can be based on something that you are. That’s where biometrics comes in.
The use of biometrics predates computers. Around 100 B.C., Chinese emperor Ts’In left his fingerprint as a seal on important prehistoric artifacts. In the 1800s, Alphonse Bertillon initiated the process of taking anatomical measurements of crime suspects in order to recognize reoffending criminals.
Fingerprints were the first consistently deployed biometrics in modern times. Police in the UK started tracking criminals and crime suspects with fingerprints in 1901. French police and New York followed in 1902. By 1924, fingerprints started to be used by the FBI. That’s a lot of inky fingers!
Biometric authentication in computer systems
There are three basic types of fingerprint scanners used today. They are capacitive, ultrasound, and optical.
Capacitive fingerprint scanners measure electrical signals that are sent from our fingers. The electrical signals come from the raised parts of our fingerprints, such as the little swirly marks on mine. Air gaps are formed from the valleys between the raised parts. The nearly unique design of our fingerprints is then electronically mapped out. Capacitive fingerprint scanners are most commonly seen built into business laptops and smartphones.
Ultrasound fingerprint scanners send sound waves to our fingertips. The way sound waves ricochet against our fingerprints is used to map them accurately. Some newer smartphones are using this technology.
Optical fingerprint scanners simply take photos of our fingertips and scan the photos in order to identify a fingerprint pattern. You might see these types of scanners on devices like the fingerprint scanners on heavily secured doors.
Many fingerprint scanners can check for a pulse in someone’s finger in order to not be vulnerable to the old grab someone else’s fingerprint with a gummy bear trick.
The other more common form of biometric authentication in computer systems are iris scanners. The patterns in our irises are pretty much unique and seldom change over the course of our lifetimes. But obviously if someone is wearing cosmetic contact lenses or sunglasses, they will need to remove them in order to properly authenticate with an iris scanner.
One potential problem with iris scanners is that they can sometimes be hacked by using a high quality photo of someone’s eye.
One advantage that iris scanners have over fingerprint scanners is that we leave our fingerprints on everything we touch without gloves. That may be where the gummy bear trick comes in. Our fingertips are a lot more prone to being changed by injury than our irises are. Cuts on fingertips make successful fingerprint scanner authentication either difficult or impossible. Also, hands are prone to getting dirty or sweaty, whereas our irises usually aren’t.
Another way to use eyes for biometric authentication is retina scanning. A retina scanner shines a light into someone’s eyeball and maps the pattern of blood vessels. Those blood vessel patterns are unique to every individual.
Speaker recognition biometrics are also big, and they’re being implemented into consumer tech. Speaker recognition can be text independent, where an application tries to identify a subject by their voice rather than by what they say. Text dependent speaker recognition actually looks for patterns of words in the subject’s voice. You’ll see this implemented in applications like Alexa on Amazon Echo, Siri in iOS devices, or Google Assistant in Android devices including Google Home, smartphones and tablets.
Background noises can make speaker recognition more difficult, so this technology really works best in a relatively quiet room. Unfortunately, speaker recognition biometrics opens up a huge vulnerability. I can stealthily record anyone’s voice on my phone, and then play the recording back from my phone to the device I’d want to maliciously authenticate to. Oops!
The last common form of biometric authentication is facial recognition. Most of us have unique faces, except perhaps for twins. But even twins may have different mole patterns.
Facial recognition biometrics usually involves taking a photo of someone’s face. That photo is compared to an existing image of the face of the person who has authentication rights. Usually, features like moles and wrinkles are also considered.
Makeup could be used to circumvent early facial recognition technology. More recent facial recognition scanners use thermal imagery. That’s the kind of facial recognition scanner that’s implemented in Apple’s FaceID.
How to cyber attack biometrics
There are some ways that an attacker can evade biometric authentication methods.
Fingerprints can be taken with gummy bears, Silly Putty, or similar plastic laminates. Sometimes a mold can be made from a plastic laminate fingerprint capture. Now you have a device that can hack fingerprint scanning. But that technique may be able to be mitigated if the fingerprint scanning device checks for a pulse.
Iris scanners can often be evaded by using a photo with the target’s eye. When the photo is high quality printed on paper, a wet contact lens can be put on it to mimic how light reflects on a real eye.
Biometric data can also be taken from a target’s device and then exported in order to maliciously authenticate.
Cellebrite was able to penetrate the “Secure Enclave” on iPhone 4S, 5, 5C, 6, and 6 Plus devices.
It takes a lot of work and specific expertise to do what they did - it’s not script kiddie stuff.
Biometrically protected Android devices could be circumvented through the Qualcomm vulnerability. This cyber attack method decrypted Android’s Full Disk Encryption feature. From ZDNet:
“This week, Security researcher Gal Beniamini revealed in a detailed step-by-step guide how it is possible to strip away the encryption protections on smartphones powered by Qualcomm Snapdragon processors, which means millions of mobile devices could be vulnerable to attack.”
Android's Full Disk Encryption (FDE), first implemented in Android 5.0, randomly generates a 128-bit master key and 128-bit salt to protect user data. The master key, also known as the Device Encryption Key (DEK), is protected by encryption based on the user's credentials, whether this is a PIN, password, or touchscreen pattern.
The now-encrypted DEK is then stored on the device.
In order to prevent successful brute-force attacks against this process, Android introduced delays between decryption attempts and data wipes after a number of failed attempts (in the same way as Apple). To prevent off-device, brute-force attacks, the key is bound to the device's hardware -- and this is where a security flaw in Qualcomm systems has caused a problem.”
Biometric authentication technology is promising. Not having to remember a password or use some sort of physical key is a convenience that can likely improve security if properly implemented. But biometrics can also be very vulnerable to attack. And unlike a password, it’s hard to change your biometrics.
Given how common biometric technology is in smartphones these days, there are a few basic things consumers can do to better secure their devices.
Consider using a fingerprint resistant phone or tablet cover. That’ll make it more difficult for an attacker to acquire your fingerprints. Stop using your index finger or thumb with fingerprint scanners. If you use a less frequently used finger, it’ll also be more difficult for an attacker to use your fingerprints. Most of the fingerprints that we leave on surfaces are from our thumbs and index fingers. Users should also consider implementing a second factor of authentication, such as a PIN or password. That may defeat the purpose of not having to use “something you know,” but at least using fingerprints will give you a second factor of authentication security.