This article in government security identifies several methods by which a biometric-based identity solution can be hacked and is well worth a read if you want to become better educated regarding the every changing attack vectors now targeting biometrics. However, Mercator’s comments below try to provide more nuance. We suggest that security tech is advancing even as criminals improve their game and that when the assets under management become more valuable, the biometric risks built into consumer handsets actually become less important because that higher risk situation demands additional layers of security be implemented. There will never be a one security fits all solution.
By indicating that Mercator agrees that it is foolish to maintain a honeypot of fingerprint templates in a database. This is just begging hackers to come and get them. But Mercator also believes that new mobile phones operating software, implemented on a platform with an appropriate Trusted Execution Environment, will prove to be as hardened as many existing dongle solutions. While I have not seen tests conducted against Samsungs KNOX security, designed jointly with IBM, I trust KNOX either approaches or exceeds the security level associated with some dongle implementations.
The article also indicates that AI will enable bad actors to find new methods of hacking into existing environments:
“AI IS MAKING SECURITY HARDER
In recent years, new biometric systems that incorporate AI have really come to the forefront of consumer electronics. Think: smart cameras with built-in AI capability to recognise and track specific faces.
But AI is a double-edged sword. While new developments, such as deep artificial neural networks, have enhanced the performance of biometric systems, potential threats could arise from the integration of AI.
For example, researchers at New York University created a tool called DeepMasterPrints. It uses deep learning techniques to generate fake fingerprints that can unlock a large number of mobile devices. It’s similar to the way that a master key can unlock every door.
Researchers have also demonstrated how deep artificial neural networks can be trained so that the original biometric inputs (such as the image of a person’s face) can be obtained from the stored template data.
NEW DATA PROTECTION TECHNIQUES ARE NEEDED
Thwarting these types of threats is one of the most pressing issues facing designers of secure AI-based biometric recognition systems.
Existing encryption techniques designed for non AI-based biometric systems are incompatible with AI-based biometric systems. So new protection techniques are needed.
Academic researchers and biometric scanner manufacturers should work together to secure users’ sensitive biometric template data, thus minimizing the risk to users’ privacy and identity.”
The ever-changing attacks launched by criminals will indeed escalate with the use of machine learning models. This is true for every deployed security method and vigilance is required. But the question Mercator believes gets overlooked too frequently remains the same; “how valuable is the asset being secured and what will we pay to protect it?”
Secrets that put the world at risk will be secured better than my bank balance. At the top of that scale is probably the nuclear launch codes. But shouldn’t the security team at a Fortune 500 company also develop a special security protocol for the SVP of Treasury? After considering the many vectors that put the company at risk it is likely that off-the-shelf biometrics are not viable. Note that the cost of a custom authentication method will look like a rounding error after taking that individuals physical security into account. Indeed Mercator is aware of several recent criminal acts achieved using physical threats to family and self and few off-the-shelf solutions will mitigate this risk.
All that said, for the broadest swath of US citizens the biometric capability in a new mobile phone that uses FIDO and WebAuthn is far more secure than the traditional password. Consider the fact that most web sites use a One Time Password sent over the already deprecated SMS transport to perform password recovery and that biometric then starts to look so much better!
One last thought. Just as criminals advance the state of the art so do security professionals. Banks today rarely rely on just the phone’s password. They embed device identity software that validates the phone remains secure and some even perform behavioral biometrics alongside traditional biometrics. This increases the reliability of detecting identity properly.