Authentication in and outside of computing can be done in
one of three ways. It can be based on something you know, such as a password.
It can be based on something you have, such as a keycard. Or it can be based on
something that you are. That’s where biometrics comes in.
The use of biometrics predates computers. Around 100 B.C.,
Chinese emperor Ts’In left his fingerprint as a seal on important prehistoric
artifacts. In the 1800s, Alphonse Bertillon initiated the process of taking
anatomical measurements of crime suspects in order to recognize reoffending
Fingerprints were the first consistently deployed biometrics
in modern times. Police in the UK started tracking criminals and crime suspects
with fingerprints in 1901. French police and New York followed in 1902. By
1924, fingerprints started to be used by the FBI. That’s a lot of inky fingers!
Biometric authentication in computer systems
There are three basic types of fingerprint scanners used
today. They are capacitive, ultrasound, and optical.
Capacitive fingerprint scanners measure electrical signals
that are sent from our fingers. The electrical signals come from the raised
parts of our fingerprints, such as the little swirly marks on mine. Air gaps
are formed from the valleys between the raised parts. The nearly unique design
of our fingerprints is then electronically mapped out. Capacitive fingerprint
scanners are most commonly seen built into business laptops and smartphones.
Ultrasound fingerprint scanners send sound waves to our
fingertips. The way sound waves ricochet against our fingerprints is used to
map them accurately. Some newer smartphones are using this technology.
Optical fingerprint scanners simply take photos of our
fingertips and scan the photos in order to identify a fingerprint pattern. You
might see these types of scanners on devices like the fingerprint scanners on
heavily secured doors.
Many fingerprint scanners can check for a pulse in someone’s
finger in order to not be vulnerable to the old grab someone else’s fingerprint
with a gummy bear trick.
The other more common form of biometric authentication in
computer systems are iris scanners. The patterns in our irises are pretty much
unique and seldom change over the course of our lifetimes. But obviously if
someone is wearing cosmetic contact lenses or sunglasses, they will need to
remove them in order to properly authenticate with an iris scanner.
One potential problem with iris scanners is that they can
sometimes be hacked by using a high quality photo of someone’s eye.
One advantage that iris scanners have over fingerprint
scanners is that we leave our fingerprints on everything we touch without
gloves. That may be where the gummy bear trick comes in. Our fingertips are a
lot more prone to being changed by injury than our irises are. Cuts on
fingertips make successful fingerprint scanner authentication either difficult
or impossible. Also, hands are prone to getting dirty or sweaty, whereas our
irises usually aren’t.
Another way to use eyes for biometric authentication is
retina scanning. A retina scanner shines a light into someone’s eyeball and
maps the pattern of blood vessels. Those blood vessel patterns are unique to
Speaker recognition biometrics are also big, and they’re
being implemented into consumer tech. Speaker recognition can be text
independent, where an application tries to identify a subject by their voice
rather than by what they say. Text dependent speaker recognition actually looks
for patterns of words in the subject’s voice. You’ll see this implemented in
applications like Alexa on Amazon Echo, Siri in iOS devices, or Google
Assistant in Android devices including Google Home, smartphones and tablets.
Background noises can make speaker recognition more
difficult, so this technology really works best in a relatively quiet room.
Unfortunately, speaker recognition biometrics opens up a huge vulnerability. I
can stealthily record anyone’s voice on my phone, and then play the recording
back from my phone to the device I’d want to maliciously authenticate to. Oops!
The last common form of biometric authentication is facial
recognition. Most of us have unique faces, except perhaps for twins. But even
twins may have different mole patterns.
Facial recognition biometrics usually involves taking a
photo of someone’s face. That photo is compared to an existing image of the
face of the person who has authentication rights. Usually, features like moles
and wrinkles are also considered.
Makeup could be used to circumvent early facial recognition
technology. More recent facial recognition scanners use thermal imagery. That’s
the kind of facial recognition scanner that’s implemented in Apple’s FaceID.
How to cyber attack biometrics
There are some ways that an attacker can evade biometric
Fingerprints can be taken with gummy bears, Silly Putty, or
similar plastic laminates. Sometimes a mold can be made from a plastic laminate
fingerprint capture. Now you have a device that can hack fingerprint scanning.
But that technique may be able to be mitigated if the fingerprint scanning
device checks for a pulse.
Iris scanners can often be evaded by using a photo with the
target’s eye. When the photo is high quality printed on paper, a wet contact
lens can be put on it to mimic how light reflects on a real eye.
Biometric data can also be taken from a target’s device and
then exported in order to maliciously authenticate.
Cellebrite was able to penetrate the “Secure Enclave” on
iPhone 4S, 5, 5C, 6, and 6 Plus devices.
It takes a lot of work and specific expertise to do what
they did - it’s not script kiddie stuff.
Biometrically protected Android devices could be
circumvented through the Qualcomm vulnerability. This cyber attack method
decrypted Android’s Full Disk Encryption feature. From ZDNet:
“This week, Security researcher Gal Beniamini revealed in a detailed step-by-step guide how it is possible
to strip away the encryption protections on smartphones powered by Qualcomm
Snapdragon processors, which means millions of mobile devices could be
vulnerable to attack.”
Android's Full Disk Encryption (FDE), first implemented in
Android 5.0, randomly generates a 128-bit master key and 128-bit salt to
protect user data. The master key, also known as the Device Encryption Key
(DEK), is protected by encryption based on the user's credentials, whether this
is a PIN, password, or touchscreen pattern.
The now-encrypted DEK is then stored on the device.
In order to prevent successful brute-force attacks against
this process, Android introduced delays between decryption attempts and data
wipes after a number of failed attempts (in the same way as Apple). To prevent
off-device, brute-force attacks, the key is bound to the device's hardware --
and this is where a security flaw in Qualcomm systems has caused a problem.”
Biometric authentication technology is promising. Not having
to remember a password or use some sort of physical key is a convenience that
can likely improve security if properly implemented. But biometrics can also be
very vulnerable to attack. And unlike a password, it’s hard to change your
Given how common biometric technology is in smartphones
these days, there are a few basic things consumers can do to better secure
Consider using a fingerprint resistant phone or tablet
cover. That’ll make it more difficult for an attacker to acquire your
fingerprints. Stop using your index finger or thumb with fingerprint scanners.
If you use a less frequently used finger, it’ll also be more difficult for an
attacker to use your fingerprints. Most of the fingerprints that we leave on
surfaces are from our thumbs and index fingers. Users should also consider
implementing a second factor of authentication, such as a PIN or password. That
may defeat the purpose of not having to use “something you know,” but at least
using fingerprints will give you a second factor of authentication security.