Biometrics are quickly becoming one of the most common methods for identity and access management (IAM), with over 85% of people interested in using biometrics to verify identity. This popularity is due in large part to the convenience and security offered by using a biometric over a password or token. As these are adopted at a greater rate the technology backing them is advancing as well. While we may see scenes in movies where masks are used to dupe a face scanner, the reality of hacking a biometric measurement is much more difficult. New techniques like liveness detection and innovative ways of storing the measurements have raised the bar for security and made hacker’s lives far more difficult.
How It Works
Liveness detection uses algorithms designed to look for authenticity in the biometric being used. For example, in a fingerprint scan rather than just compare the pattern of the fingerprint itself it looks for other indicators of life. Liveness detection can identify slight differences in the fingerprint due to skin flexibility, or it can detect the presence of sweat and pores in the skin. Many methods can detect blood flow beneath the fingerprint or see vein patterns under the skin. By looking at more than just the fingerprint itself, but also examining the composition of the biometric being used, these systems are able to avoid presentation attacks where a false version of a biometric is presented to a scanner.
These new approaches to presentation attack detection (PAD) rely upon the ability to collect a much larger number of data points to contribute to both the security and flexibility of the system. For example when using a face scan companies are employing 3D models where a user needs to move their head around showing data points in three dimensions rather than a static 2D image. A study published in the National Library of Medicine shows that using methods like motion analysis resulted in a 97% success rate in correctly identifying live versus fake biometrics. As our ability to take in thousands of data points to analyze a face, fingerprint, or voice grows, so too does our ability to prove liveness. Even if a hacker somehow gains access to a user’s fingerprint or a picture of their face, the process for replicating and then using it in a way that also passes liveness detection is nearly impossible.
How the Information is Stored Matters
Another method being used to prevent attacks is storing the biometric measurements in a fashion whereby they cannot be replicated if hacked. Centrally stored biometric systems keep measurements with the company granting access and this has led to concerns about what happens if there is a breach where the biometrics are stored. However, systems like identity-bound biometrics (IBB) have addressed this by storing templates rather than the direct measurements themselves. When a biometric is enrolled in the system it is sent through an algorithm and then saved as a template that doesn’t resemble the measurement itself. Like a lock and key the biometric now can be paired with the template to verify an identity and grant access to the system without the biometric being saved directly to the server. All of this means that even if a breach occurs the hacker won’t have access to a real person’s biometric measurement and would not be able to attempt to replicate the fingerprint or face of a user.
Continuing to Advance in Biometrics
To hack a password all that needs to happen is finding the right combination of letters and numbers. With advances in technology hacking a biometric has become a completely new game. Even having access to a person’s exact biometric measurements is no longer enough to fool a biometric scanner. The amount of time, effort, and expertise needed to even attempt to break through liveness detection creates a huge barrier for would be threat actors. Storing the biometric as a template makes stealing the data in a breach worthless. As hackers become more and more sophisticated, so too does the way in which we safeguard our data and identities.
