Back

Biometrics Are Not the Answer

January 8, 2019
4 minutes read
Category: Mobile Identity
Author: Stefan Kostić

With the dawning of the fact that the time of the username/password authentication is long gone, more and more companies seem to be turning to biometric authentication, praised as the new best authentication solution.

For sure safer than passwords and with better user experience, the usage of biometric authentication is bound to exponentially increase in 2019.

But, we should be careful. There certainly are many benefits to biometric authentication, especially when compared to the more traditional methods, but it’s still to be taken with a grain of salt.  

So, is it good enough?

Well, we’ve compared various arguments for and against, as well as the simple fact that more effective and secure solutions already exist, and we’ve logically reached the conclusion that - no, biometrics are not the answer.

But, let’s take a step back, and first see how it works.

How biometric authentication works

Biometric authentication is the process of confirming your identity using some unique characteristic of your body based on measurements and calculations.

It works by comparing the biometric data stored on a certain device and the biometric data of the person trying to access the said device.

If the data are nearly identical (since it is impossible for two pieces of biometric data to be exactly identical due to various factors such as sweatiness or scarring), the identity is verified and you are let into the device.  

If you have bought a cell phone in the last two years, you have most probably tried using biometric authentication. Most phones today support fingerprint and even facial recognition, the two main reasons for sudden popularity biometric authentication keeps getting.

Other means of biometrics include iris scanning and voice recognition.

While this technology seems very exciting, important factors that come with it shouldn’t be overlooked, but carefully analyzed.

Ease of use at the cost of security

We can’t deny the easiness of use that comes with biometric authentication, especially compared to passwords. With no typing involved, the verification of your fingerprint takes less than a second on today’s cell phones.

Still, it’s not always rainbows and butterflies. Biometric authentication comes with security risks - it’s very hackable, the technology is not quite there yet and the worst of all, your biometric data could get stolen.

There are numerous ways of hacking biometric authentication, and none are significantly harder than hacking the traditional email - password login or 2FA.

Fingerprints are unique, 80% of the time at least

Fingerprints can be spoofed. All that a hacker needs to find is a high-quality print that contains enough specific patterns to unlock a certain device.

Next, they would lift the fingerprint, and cast it on the laminate to make a mold which can be successfully used to trick fingerprint scanners.

Still, technology progresses. Scanners will certainly progress, but so will other technologies such as machine learning.

Just recently, a study conducted by Michigan State and New York Universities unveiled high levels of vulnerability in biometric authentication used by the mobile users all around the world.

Through a neural network trained to create fake human fingerprints, the researchers have synthesized one “Master Print” that could potentially trick this authentication system 20% of the time which is too high of a probability to just let go.

Face ID tricked by 3D masks or even 2D photos depending on your phone

Last year, a Vietnamese security company Bkav showed how easy it was to trick iPhone’s face ID using a combination of silicone masks, 3D frames and 2D infrared images of human eyes.

Further on, they managed to trick the system again using a mask made out of different materials. A stone powder 3D mask with 2D infrared images of eyes, this method was even more successful.

All this on a top-end device with 30 thousand points of reference for mapping out a user’s face. You can just imagine how easy it is to spoof cheaper phones with lower quality cameras!

Very easy, as it turns out. Inexpensive phones with regular 2D cameras lacking an IR sensor can be spoofed with mere photos printed out or shown on screen!

I believe we can agree that this makes Face ID less secure than fingerprint authentication.

Effective & secure iris and voice recognition technology is still far away

Iris and voice recognition are among the most vulnerable forms of biometric authentication in the mobile world.

There aren’t many phones with iris recognition features out there, and there’s a reason for that - the technology is still not good enough.

All it takes to fool some iris scanners is taking a photo with a cheap camera in night mode or printing any social media photo on paper, and then placing a wet contact lense to mimic the roundness of the eye.

That’s precisely how Samsung’s attempt at iris recognition technology was fooled by German hackers, coincidentally the same group responsible for hacking iPhone’s fingerprint scanner.

As far as voice recognition goes, the technology is lagging behind AI that can be used to mimic people’s voices and fool the system.

In the world of virtual assistants where privacy is slowly completely disappearing, it’s needless to say that many of our voice commands have been recorded for the purpose of improving the assistants.

And having even a short recording of your voice is enough for services such as Lyrebird to synthesize your voice and successfully use the fake voice to authenticate.

Biometric data storage issues could lead to identity theft

Usually, the biometric data is stored locally, on the phone. But, the Secure Enclave on iOS devices and the Trusted Execution Environment for Android devices can be hacked as well.

While it may be out of reach for average hackers, it shouldn’t be disregarded as a far-fetched threat.

Moreover, what happens with biometric data hospitals or other institutions possess? We don’t even like thinking about the possibilities if that data was hacked.

Not only could it lead to identity theft, but having your biometric data stolen means that you wouldn’t be able to rely on it for authentication for the rest of your life.  

Unlike your password, you can’t just replace your iris, voice or fingerprint...

But hey, passwords were used in combination with other information so dual biometrics may just be the answer

Possibly - but, what happens with the easiness of use then? It’s gone, and the truly modern authentication solution shouldn’t have to sacrifice one for the other.

Our seamless authentication solution offers both.

Relying on the technology capabilities of mobile network operators around the world, IPification doesn’t make compromises between user experience and security.

It uses an algorithm that generates a unique mobile ID including various data provided by the mobile network operator while detecting any SIM card or device changes.

This whole process is seamlessly done in the background within a fraction of a second, and without the need for any action to be taken by the user.

The best part? The technology is available today.