Part of my job is to coordinate technical specifications for mobile app development projects with the customers. In the process, I often hear the same question: can we authenticate with the application using biometrics, such as face or fingerprint recognition? There are several perspectives in this regard, but none of them are promising.
In this article, I would like to explain comprehensively why biometric characteristics don’t work for authenticating with information systems, and why they do work on personal devices.
The Volume of Data
Although we live in the age of Big Data, we still cannot ensure accurate biometric authentication via backend services. The main reason simply comes down to the volume of data.
The thing is, the commonplace username-password combo tends to be 30-60 characters long, which is a negligible amount of data to transmit over the Internet. As opposed to this, a fingerprint scan of decent quality is quite a bit of information for the system to send. If you compare it to black-and-white images, the size of a 1024×1024 image with, say, 8-bits-per-pixel color depth, is multiple times larger than the standard username-password combination. When facial recognition is in place, the volume gets even bigger.
However, the process of submitting that much information isn’t the main hurdle. The biggest obstacle is that we need to upload the fingerprints of all users to the backend server’s memory in order to ensure accurate authentication. If we’re talking about a thousand users, that’s theoretically feasible. When it comes to a million users, though, things don’t appear nearly as trivial even for a powerful backend.
Some people will argue that hashing could be the response to this challenge, because it allows you to transform any data entity into a shorter value of fixed length. Unfortunately, the hashing tactic brings us to another issue that will exhaust any super-productive system.
In order to log in using a password, we need to reproduce this password accurately. The data will be submitted and stored in the form of this password’s hash. In plain language, the hash is a string that you can derive from the password, but which cannot have the password derived from it. This protects your sensitive data from being stolen and abused. Therefore, one of the fundamentals of hashing is to complicate the decoding routine.
Even very similar passwords will have absolutely different hashes. For instance, the MD5 hash of the word “Password” is dc647eb65e6711e155375218212b3964, whereas the hash for “password” (with lowercase “p”) is 5f4dcc3b5aa765d61d8327deb882cf99. As you can see, the resulting strings are completely different even for nearly-identical input values.
Biometric scanners don’t allow for 100% accurate scanning. When a user places their finger on the scanner, the slightest offset for a fraction of a millimeter, a change in pressure, skin damage and other circumstances always affect the resulting image. Consequently, the scans of the same finger or face will always be different.
We have learned to recognize the key elements and perform the comparisons based on the presence and location of these elements. Apple’s Face ID technology recognizes up to 30,000 invisible dots. However, it doesn’t mean that all these dots have to match accurately for the authentication to be successful.
So How Does Biometric Authentication Actually Work?
Here’s the thing: fingerprint-based authentication relies on what’s called fuzzy string searching. This type of search routine is aimed at finding elements that resemble each other approximately rather than exactly. For instance, a 90% image match is a very good result for authentication via a fingerprint, and it effectively designates that we’re dealing with the actual fingerprint owner. Nevertheless, that person’s fingerprint is still 10% different than the benchmark image, which means we get an absolutely different hash and can’t store the data safely.
To top it off, we will have to store the data as a whole, because a hash function that generates close matches for similar character combinations doesn’t meet the common security requirements and cannot be considered a reliable hash function.
Even if we manage to somehow describe the data by means of an “approximate” hash, we will face yet another nontrivial issue.
Similarity of Biometric Parameters
All of us have run into unfamiliar people who bear a striking resemblance to someone we know. There are ethnic groups with very few anthropological types, where the probability of a match is appreciable. For a fingerprint, the likelihood of 100% match is about 1/640,000,000,000 (this can be a somewhat inaccurate estimate, but the ratio is actually negligible). When fuzzy string searching steps in, though, things look entirely different.
Imagine the following situation: you’ve been stung by a swarm of bees! Your swollen face will probably look more like someone else’s than like yours.
Speaking of authentication in the context of hundreds of millions of users, a fuzzy string searching system is likely to pick a person who resembles you on a photo more than you resemble yourself on that photo.
However, even if we succeed in performing facial recognition with absolute accuracy and even if we find a way to ensure 100% fingerprint matching accuracy, there is one more hurdle that we can’t possibly overcome.
Unique biometric characteristics that allow for identifying a user with 100% accuracy are both on the plus and the minus side of authentication at the same time. This type of approach implies that you cannot change biometric characteristics like you can change a password – you have them since birth.
Ethical Hacking Training – Resources (InfoSec)
Moreover, our biometric data is always available to an external observer. We are constantly leaving our fingerprints, photos of our faces and DNA traces from our hair and nails. We are doing it permanently without even noticing it.
Imagine facial recognition on a mobile device 15 years ago. In the age of the 0.3-megapixel cameras most of these devices were equipped with, it was very difficult to obtain a picture of your face of decent quality. Nowadays, the average cheap smartphone provides photo quality hundreds of times higher. This means modern gadgets make it so much easier to fabricate the image of a face than several years ago. The endless race in pursuit of enhancing various external scanners further aggravates the problem, and we will have to update authentication data as new forgery techniques splash onto the scene.
If criminals obtain your sensitive information, you can’t instantly change it. Even if you can, it’s very difficult to inform all the systems about the compromise. It’s much simpler to use different passwords for authenticating with different systems, isn’t it?
In summary, here are a few key hurdles to biometric authentication:
- Large volume of data
- Inaccurate matching
- Different people having similar biometric characteristics
- High probability of compromise
Conclusion: Biometrics on Personal Devices
Nevertheless, the use of biometrics on personal devices makes perfect sense. None of the above caveats is an issue for small user sets, so there shouldn’t be any serious security concerns in such a scenario.
Furthermore, major players use password-based authentication as additional security. Huawei products request a password every three days if biometric unlocking is enabled. E-banking applications use biometric authentication after the customer has logged in, thus simply adding an extra layer of security to the whole process.
Currently, biometric authentication isn’t used for completing financial transactions. However, if that changes, it’ll be very interesting to see the outcome.