The Main Concerns with Biometric Authentication
Part of my job is to coordinate technical specifications for mobile app development projects with the customers. In the process, I often hear the same question: can we authenticate with the application using biometrics, such as face or fingerprint recognition? There are several perspectives in this regard, but none of them are promising.
In this article, I would like to explain comprehensively why biometric characteristics don't work for authenticating with information systems, and why they do work on personal devices.
What should you learn next?
The Volume of Data
Although we live in the age of Big Data, we still cannot ensure accurate biometric authentication via backend services. The main reason simply comes down to the volume of data.
The thing is, the commonplace username-password combo tends to be 30-60 characters long, which is a negligible amount of data to transmit over the Internet. As opposed to this, a fingerprint scan of decent quality is quite a bit of information for the system to send. If you compare it to black-and-white images, the size of a 1024x1024 image with, say, 8-bits-per-pixel color depth, is multiple times larger than the standard username-password combination. When facial recognition is in place, the volume gets even bigger.
However, the process of submitting that much information isn't the main hurdle. The biggest obstacle is that we need to upload the fingerprints of all users to the backend server's memory in order to ensure accurate authentication. If we're talking about a thousand users, that's theoretically feasible. When it comes to a million users, though, things don't appear nearly as trivial even for a powerful backend.
Some people will argue that hashing could be the response to this challenge, because it allows you to transform any data entity into a shorter value of fixed length. Unfortunately, the hashing tactic brings us to another issue that will exhaust any super-productive system.
Inaccurate Matching
In order to log in using a password, we need to reproduce this password accurately. The data will be submitted and stored in the form of this password's hash. In plain language, the hash is a string that you can derive from the password, but which cannot have the password derived from it. This protects your sensitive data from being stolen and abused. Therefore, one of the fundamentals of hashing is to complicate the decoding routine.
Even very similar passwords will have absolutely different hashes. For instance, the MD5 hash of the word "Password" is dc647eb65e6711e155375218212b3964, whereas the hash for "password" (with lowercase "p") is 5f4dcc3b5aa765d61d8327deb882cf99. As you can see, the resulting strings are completely different even for nearly-identical input values.
Biometric scanners don't allow for 100% accurate scanning. When a user places their finger on the scanner, the slightest offset for a fraction of a millimeter, a change in pressure, skin damage and other circumstances always affect the resulting image. Consequently, the scans of the same finger or face will always be different.
We have learned to recognize the key elements and perform the comparisons based on the presence and location of these elements. Apple's Face ID technology recognizes up to 30,000 invisible dots. However, it doesn't mean that all these dots have to match accurately for the authentication to be successful.
So How Does Biometric Authentication Actually Work?
Here's the thing: fingerprint-based authentication relies on what's called fuzzy string searching. This type of search routine is aimed at finding elements that resemble each other approximately rather than exactly. For instance, a 90% image match is a very good result for authentication via a fingerprint, and it effectively designates that we're dealing with the actual fingerprint owner. Nevertheless, that person's fingerprint is still 10% different than the benchmark image, which means we get an absolutely different hash and can't store the data safely.
To top it off, we will have to store the data as a whole, because a hash function that generates close matches for similar character combinations doesn't meet the common security requirements and cannot be considered a reliable hash function.
Even if we manage to somehow describe the data by means of an "approximate" hash, we will face yet another nontrivial issue.
Similarity of Biometric Parameters
All of us have run into unfamiliar people who bear a striking resemblance to someone we know. There are ethnic groups with very few anthropological types, where the probability of a match is appreciable. For a fingerprint, the likelihood of 100% match is about 1/640,000,000,000 (this can be a somewhat inaccurate estimate, but the ratio is actually negligible). When fuzzy string searching steps in, though, things look entirely different.
Imagine the following situation: you've been stung by a swarm of bees! Your swollen face will probably look more like someone else's than like yours.
Speaking of authentication in the context of hundreds of millions of users, a fuzzy string searching system is likely to pick a person who resembles you on a photo more than you resemble yourself on that photo.
However, even if we succeed in performing facial recognition with absolute accuracy and even if we find a way to ensure 100% fingerprint matching accuracy, there is one more hurdle that we can't possibly overcome.
Data Breaches
Unique biometric characteristics that allow for identifying a user with 100% accuracy are both on the plus and the minus side of authentication at the same time. This type of approach implies that you cannot change biometric characteristics like you can change a password – you have them since birth.
Moreover, our biometric data is always available to an external observer. We are constantly leaving our fingerprints, photos of our faces and DNA traces from our hair and nails. We are doing it permanently without even noticing it.
Imagine facial recognition on a mobile device 15 years ago. In the age of the 0.3-megapixel cameras most of these devices were equipped with, it was very difficult to obtain a picture of your face of decent quality. Nowadays, the average cheap smartphone provides photo quality hundreds of times higher. This means modern gadgets make it so much easier to fabricate the image of a face than several years ago. The endless race in pursuit of enhancing various external scanners further aggravates the problem, and we will have to update authentication data as new forgery techniques splash onto the scene.
If criminals obtain your sensitive information, you can't instantly change it. Even if you can, it's very difficult to inform all the systems about the compromise. It's much simpler to use different passwords for authenticating with different systems, isn't it?
In summary, here are a few key hurdles to biometric authentication:
- Large volume of data
- Inaccurate matching
- Different people having similar biometric characteristics
- High probability of compromise
Conclusion: Biometrics on Personal Devices
Nevertheless, the use of biometrics on personal devices makes perfect sense. None of the above caveats is an issue for small user sets, so there shouldn't be any serious security concerns in such a scenario.
Furthermore, major players use password-based authentication as additional security. Huawei products request a password every three days if biometric unlocking is enabled. E-banking applications use biometric authentication after the customer has logged in, thus simply adding an extra layer of security to the whole process.
FREE role-guided training plans
Currently, biometric authentication isn't used for completing financial transactions. However, if that changes, it'll be very interesting to see the outcome.
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- The Main Concerns with Biometric Authentication
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security