Biometric technologies, are they completely secure?
In recent years, we have witnessed how biometric recognition technologies have been gone into the day-to-day as an additional tool for document security and sensitive data. Biometrics, as a mechanism for identifying and controlling access, appear to be a future (and present) solution to the problems of passwords. Powered by its incorporation into mobile devices (such as the iPhone TouchID), its use is becoming increasingly widespread to several sectors and applications. In fact, the growth of mobile devices with biometric capabilities has been exponential in the last year.
Factors such as security and convenience of use are propitiating adoption in other areas such as mobile banking, online commerce, etc. However, as usually happens when we talk about any new technology, it also generates doubts and mistrust. With the advent of a new technology, anyone is going to ask “what if somebody steals my biometric templates?” These questions can generate prejudice or suspicion if they are not cleared out. In addition, sometimes may happen that this kind of doubts might be amplified by information that is not completely correct and, once disseminated, is very difficult to clarify. Therefore, it is important to transfer the knowledge that helps the better to understand how biometric technologies work and if they are really safe and reliable.
Can somebody steal my biometrics? What happens if my biometric template is stolen once it is stored on my service provider’s servers?
Let’s take the example that a hacker accesses the server where the biometric templates (representation of the unique traits of an individual) are stored and takes the users’ “biometrics”. If we have been talking about a system based on passwords, and there have been a theft, the solution would “simply” be to get rid of the old passwords and generate new ones.
What happens with biometric samples?
Something is totally true and cannot be changed: a person has only one face, so he/she cannot get rid of his face and generate a new one, which a priori constitutes a limitation in case of biometric templates theft. Fortunately, thanks to research in biometric technology, there are techniques for Biometric Template Protection that provide security and privacy guarantees to mitigate these risks. These techniques are focused on getting the biometric templates to fulfil certain properties to make them robust against that kind of attacks. These properties are, among others, revocability, renewability and non-reversibility:
- Revocability guarantees that, in case someone gets access to our biometric template, it can be cancelled and no longer possible to access the system with it.
- Renewability allows to generate a new biometric template from the same biometric feature (face, footprint, etc.) without change. It means that it is possible to generate a new template from your face without having a surgery.
- Non-reversibility seeks to guarantee user privacy, so that it is not possible to retrieve the original trait from the biometric template. That is, you cannot reconstruct your face from the sequence of numbers that your template forms.
What if someone tries directly to use a photo of my face or a copy of my footprint to impersonate me?
There are already at the present time techniques to detect this kind of attacks (Presentation Attack Detection or PAD) in order to verify that biometric samples are actually being captured from a “living person”.
These PAD techniques contemplate either the use of specific hardware or sensors that analyse some type of physiological characteristic of the user, such as logical systems that seek to check user behaviour, reactions, interaction, etc.
The use of these systems is becoming increasingly prevalent in security and access control systems, contexts and situations in which reliable tools are needed to detect anti-spoofing attacks in mobility scenarios.
Are biometric recognition systems infallible? Can we get rid of our passwords yet?
Unfortunately, there is nothing foolproof and there is still a long way to go. However, at present there are many research groups working on system improvements, and standardization teams working on the standards to allow their adoption with the necessary guarantees of security and privacy.
Common sense suggest to wait a bit longer before we completely get rid of passwords. In high-security scenarios, for example, combining factors such as biometrics, passwords or other elements such as cards, USB keys, etc. is a very common practice.
Biometric technologies are relatively new in their application to the markets and in our everyday lives. During the process of integration and adoption, there are still many details to be polished and improvements to incorporate. Undeniably, biometrics have now come to stay and have great usability and security advantages.
Authors: Esteban Vázquez Fernández, head of Biometrics; Daniel González Jiménez, director of Multimodal Information in Gradiant