If you work in IT security, the first part of this will not be news to you, skip to the section on the future. Otherwise, the first sections look at the current state of biometrics and some of what we already know about their security limitations.
I just read an article on fingerprint recognition. Biometrics has been hailed by some as a wonderful way of determining someone’s identity, and by others as a security mechanism that is far too easy to spoof. I generally fall in the second category. I don’t mind using it for simple unimportant things like turning on my tablet, on which I keep nothing sensitive, but so far I would never trust it as part of any system that gives access to my money or sensitive files.
My own history is that voice recognition still doesn’t work for me, fingerprints don’t work for me, and face recognition doesn’t work for me. Iris scan recognition does, but I don’t trust that either. Let’s take a quick look at conventional biometrics today and the near future.
I use a Google Nexus, made by Samsung. Samsung is in the news today because their Galaxy S5 fingerprint sensor was hacked by SRLabs minutes after release, not the most promising endorsement of their security competence.
This article says the sensor is used in the user authentication to access Paypal. That is really not good. I expect quite a few engineers at Samsung are working very hard indeed today. I expect they thought they had tested it thoroughly, and their engineers know a thing or two about security. Every engineer knows you can photograph a fingerprint and print a replica in silicone or glue or whatever. It’s the first topic of discussion at any Biometrics 101 meeting. I would assume they tested for that. I assume they would not release something they expected to bring instant embarrassment on their company, especially something failing by that classic mechanism. Yet according to this article, that seems to be the case. Given that Samsung is one of the most advanced technology companies out there, and that they can be assumed to have made reasonable effort to get it right, that doesn’t offer much hope for fingerprint recognition. If they don’t do it right, who will?
My own experience with fingerprint recognition history is having to join a special queue every day at Universal Studios because their fingerprint recognition entry system never once recognised me or my child. So I have never liked it because of false negatives. For those people for whom it does work, their fingerprints are all over the place, some in high quality, and can easily be obtained and replicated.
As just one token in multi-factor authentication, it may yet have some potential, but as a primary access key, not a chance. It will probably remain be a weak authenticator.
There are many ways of recognizing faces – visible light, infrared or UV, bone structure, face shapes, skin texture patterns, lip-prints, facial gesture sequences… These could be combined in simultaneous multi-factor authentication. The technology isn’t there yet, but it offers more hope than fingerprint recognition. Using the face alone is no good though. You can make masks from high-resolution photographs of people, and photos could be made using the same spectrum known to be used in recognition systems. Adding gestures is a nice idea, but in a world where cameras are becoming ubiquitous, it wouldn’t be too hard to capture the sequence you use. Pretending that a mask is alive by adding sensing and then using video to detect any inspection for pulse or blood flows or gesture requests and then to provide appropriate response is entirely feasible, though it would deter casual entry. So I am not encouraged to believe it would be secure unless and until some cleverer innovation occurs.
What I do know is that I set my tablet up to recognize me and it works about one time in five. The rest of the time I have to wait till it fails and then type in a PIN. So on average, it actually slows entry down. False negative again. Giving lots of false negatives without the reward of avoiding false positives is not a good combination.
I was a subject in one of the early trials for iris recognition. It seemed very promising. It always recognized me and never confused me with someone else. That was a very small scale trial though so I’d need a lot more convincing before I let it near my bank account. I saw the problem of replication an iris using a high quality printer and was assured that that couldn’t work because the system checks for the eye being alive by watching for jitter and shining a light and watching for pupil contraction. Call me too suspicious but I didn’t and don’t find that at all reassuring. It won’t be too long before we can make a thin sheet high-res polymer display layered onto a polymer gel underlayer that contracts under electric field, with light sensors built in and some software analysis for real time response. You could even do it as part of a mask with the rest of the face also faithfully mimicking all the textures, real-time responses, blood flow mimicking, gesture sequences and so on. If the prize is valuable enough to justify the effort, every aspect of the eyes, face and fingerprints could be mimicked. It may be more Mission Impossible than casual high street robbery but I can’t yet have any confidence that any part of the face or gestures would offer good security.
We hear frequently that DNA is a superbly secure authenticator. Every one of your cells can identify you. You almost certainly leave a few cells at the scene of a crime so can be caught, and because your DNA is unique, it must have been you that did it. Perfect, yes? And because it is such a perfect authenticator, it could be used confidently to police entry to secure systems.
No! First, even for a criminal trial, only a few parts of your DNA are checked, they don’t do an entire genome match. That already brings the chances of a match down to millions rather than billions. A chance of millions to one sounds impressive to a jury until you look at the figure from the other direction. If you have 1 in 70 million chance of a match, a prosecution barrister might try to present that as a 70 million to 1 chance that you’re guilty and a juror may well be taken in. The other side of that is that 100 people of the 7 billion would have that same 1 in 70 million match. So your competent defense barrister should present that as only a 1 in 100 chance that it was you. Not quite so impressive.
I doubt a DNA system used commercially for security systems would be as sophisticated as one used in forensic labs. It will be many years before an instant response using large parts of your genome could be made economic. But what then? Still no. You leave DNA everywhere you go, all day, every day. I find it amazing that it is permitted as evidence in trials, because it is so easy to get hold of someone’s hairs or skin flakes. You could gather hairs or skin flakes from any bus seat or hotel bathroom or bed. Any maid in a big hotel or any airline cabin attendant could gather packets of tissue and hair samples and in many cases could even attach a name to them. Your DNA could be found at the scene of any crime having been planted there by someone who simply wanted to deflect attention from themselves and get someone else convicted instead of them. They don’t even need to know who you are. And the police can tick the crime solved box as long as someone gets convicted. It doesn’t have to be the culprit. Think you have nothing to fear if you have done nothing wrong? Think again.
If someone wants to get access to an account, but doesn’t mind whose, perhaps a DNA-based entry system would offer good potential, because people perceive it as secure, whereas it simply isn’t. So it might not be paired with other secure factors. Going back to the maid or cabin attendant. Both are low paid. A few might welcome some black market bonuses if they can collect good quality samples with a name attached, especially a name of someone staying in a posh suite, probably with a nice account or two, or privy to valuable information. Especially if they also gather their fingerprints at the same time. Knowing who they are, getting a high res pic of their face and eyes off the net, along with some voice samples from videos, then making a mask, iris replica, fingerprint and if you’re lucky also buying video of their gesture patterns from the black market, you could make an almost perfect multi-factor biometric spoof.
It also becomes quickly obvious that the people who are the most valuable or important are also the people who are most vulnerable to such high quality spoofing.
So I am not impressed with biometric authentication. It sounds good at first, but biometrics are too easy to access and mimic. Other security vulnerabilities apply in sequence too. If your biometric is being measured and sent across a network for authentication, all the other usual IT vulnerabilities still apply. The signal could be intercepted and stored, replicated another time, and you can’t change your body much, so once your iris has been photographed or your fingerprint stored and hacked, it is useless for ever. The same goes for the other biometrics.
Signatures, gestures and facial expressions offer at least the chance to change them. If you signature has been used, you could start using a new one. You could sign different phrases each time, as a personal one-time key. You could invent new gesture sequences. These are really just an equivalent to passwords. You have to remember them and which one you use for which system. You don’t want a street seller using your signature to verify a tiny transaction and then risk the seller using the same signature to get right into your account.
Summary of status quo
This all brings us back to the most basic of security practice. You can only use static biometrics safely as a small part of a multi-factor system, and you have to use different dynamic biometrics such as gestures or signatures on a one time basis for each system, just as you do with passwords. At best, they provide a simple alternative to a simple password. At worst, they pair low actual security with the illusion of high security, and that is a very bad combination indeed.
So without major progress, biometrics in its conventional meaning doesn’t seem to have much of a future. If it is not much more than a novelty or a toy, and can only be used safely in conjunction with some proper security system, why bother at all?
You can’t easily change your eyes or your DNA or you skin, but you can add things to your body that are similar to biometrics or interact with it but offer the flexibility and replaceability of electronics.
I have written frequently about active skin, using the skin as a platform for electronics, and I believe the various layers of it offer the best potential for security technology.
Long ago, RFID chips implants became commonplace in pets and some people even had them inserted too. RFID variants could easily be printed on a membrane and stuck onto the skin surface. They could be used for one time keys too, changing each time they are used. Adding accelerometers, magnetometers, pressure sensors or even location sensors could all offer ways of enhancing security options. Active skin allows easy combination of fingerprints with other factors.
Ultra-thin and uninvasive security patches could be stuck onto the skin, and could not be removed without damaging them, so would offer a potentially valuable platform. Pretty much any kinds and combinations of electronics could be used in them. They could easily be made to have a certain lifetime. Very thin ones could wash off after a few days so could be useful for theme park entry during holidays or for short term contractors. Banks could offer stick on electronic patches that change fundamentally how they work every month, making it very hard to hack them.
Active skin can go inside the skin too, not just on the surface. You could for example have an electronic circuit or an array of micro-scale magnets embedded among the skin cells in your fingertip. Your fingerprint alone could easily be copied and spoofed, but not the accompanying electronic interactivity from the active skin that can be interrogated at the same time. Active skin could measure all sorts of properties of the body too, so personal body chemistry at a particular time could be used. In fact, medical monitoring is the first key development area for active skin, so we’re likely to have a lot of body data available that could make new biometrics. The key advantage here is that skin cells are very large compared to electronic feature sizes. A decent processor or memory can be made around the size of one skin cell and many could be combined using infrared optics within the skin. Temperature or chemical gradients between inner and outer skin layers could be used to power devices too.
If you are signing something, the signature could be accompanied by a signal from the fingertip, sufficiently close to the surface being signed to be useful. A ring on a finger could also offer a voluminous security electronics platform to house any number of sensors, memory and processors.
Skin itself offers a reasonable communications route, able to carry a few Mbit’s of data stream, so touching something could allow a lot of data transfer very quickly. A smart watch or any other piece of digital jewelry or active skin security patch could use your fingertip to send an authentication sequence. The watch would know who you are by constant proximity and via its own authentication tools. It could easily be unauthorized instantly when detached or via a remote command.
Active makeup offer a novel mechanism too. Makeup will soon exist that uses particles that can change color or alignment under electronic control, potentially allowing video rate pattern changes. While that makes for fun makeup, it also allows for sophisticated visual authentication sequences using one-time keys. Makeup doesn’t have to be confined only to the face of course, and security makeup could maybe be used on the forearm or hands. Combining with static biometrics, many-factor authentication could be implemented.
I believe active skin, using membranes added or printed onto and even within the skin, together with the use of capsules, electronic jewelry, and even active makeup offers the future potential to implement extremely secure personal authentication systems. This pseudo-biometric authentication offers infinitely more flexibility and changeability than the body itself, but because it is attached to the body, offers much the same ease of use and constant presence as other biometrics.
Biometrics may be pretty useless as it is, but the field does certainly have a future. We just need to add some bits. The endless potential variety of those bits and their combinations makes the available creativity space vast.
great article and thanks for your great inputs
Pingback: Unieke wachtwoorden, multifactor en OAuth. Noodzakelijk maar eenvoudig