Weaknesses of Biometric Authentication

By Mark Perkins, MS, CISSP, IT Manager

In today’s digital world, knowing who is on the other end of the wire is more important than ever.  The democratization of digital technology and proliferation of Internet access, in addition to the transformation from physical to virtual, has created a new era of criminal activity.  Currency, for example, can be simply transferred from one account to another.  Digital documents requiring multiple signatures can be completed simultaneously on different continents.  These conveniences come with a risk.  Without physical verification, how do you know who is on the other end?

IAAA, or Identification, Authentication, Authorization, and Accounting, is an essential function in cybersecurity.  To identify and verify who a person is, what they have access to, and logging what was done is extremely important.  With quantum computing, passwords—even complex passwords—are too easily cracked.  Multi-factor authentication can be implemented to mitigate this risk.  One of the strongest methods of multifactor authentication is biometric authentication.

“Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who he says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database.” (Haughn, 2020)

There are several different types of biometric authentication, and new technologies are being developed every day.  Facial scanning and fingerprint scanning are common and found on most smartphones and personal devices.  There are many other types, however, such as retina scanning, iris recognition, and palm vein scanning and hand geometrics.  Artificial intelligence has allowed new methods to be developed, such as keystroke rhythms.  “Identifying or authenticating people based on how they type is not a new idea, but thanks to advances in artificial intelligence it can now be done with a very high level of accuracy, making it a viable replacement for other forms of biometrics.” (Constatin, 2017)

“Unlike the Personal Identification Numbers (PIN) and passwords, biometric data is nearly impossible to guess and is unique to a single person.” (Thompson, 2018)  Although it may seem that biometrics are foolproof, they are not.  “No one method is without limitation and there is still a way to go until biometric authentication methods become affordable and trusted enough for widespread adoption.”  (Thompson, 2018)

Unless you write down your PIN number or password, it is statistically improbable that it would be guessed by a human.  Passwords are encrypted with a one-way hash.  Fingerprints, unlike passwords, are left on everything you touch.  The issue is further compounded by the massive stockpiles of fingerprints in the hands of US authorities, with more than 31 million in a Department of Homeland Security biometrics database as of 2014 and more than 34 million belonging to civilians also in an FBI database as of 2010. (Sputnik International, 2018)  History has shown that our government networks are susceptible to compromise.  Even more interesting, machine learning has made it easy for researchers to develop “a technique to create so-called DeepMasterPrints: fake fingerprints designed to trick scanners.”  (Newman, 2018)

Iris scans are considered highly reliable and are extremely accurate, however, the cost of equipment required to get the detail necessary to validate the scan is very high.  “Large companies, agencies or Governments can afford that price, but the general public can’t afford to pay that price. Some say that it costs five times higher than fingerprint scanning which is more readily available to the general public.”  (Mehedi, 2018)  This barrier of entry may encourage a potential user to select a less secure method of authentication.   Retina scans also utilize the eyes, however, the method used has issues regarding cleanliness and privacy.

“Fingerprints and facial scans are seen as an enhanced additional layer of security, but they rely on database storage just like any other type of data.”  (Ikeda, 2019)  On a lower level, essentially these biometric values are converted into numbers via complex algorithms and stored in a database on an on-premise server or in the cloud.  If the servers and databases are not properly secured, encrypted, or protected with effective perimeter security, the data can be accessed.  Values can be changed or deleted.  “Unfortunately, leaking of biometric source information is the inevitable next step in a long line of security blunders. With any authentication method, from passwords to advanced biometrics, security is only as strong as its weakest link.” (Ikeda, 2019) The real danger in this situation is unlike a password, biometric data cannot be changed, and once it is compromised the end-user is not able to change them.

Security has seen many evolutions in my career.  From password to username and password, to multifactor authentication, to biometrics, to biometrics augmented with artificial intelligence.  As information security has become more robust and complex, so have the tools to thwart these methods.  All cybersecurity strategies have strengths and weaknesses.  One must evaluate their respective environment and determine the best strategy.

About the Author

Mark Perkins AuthorMark Perkins, MS, CISSP is an IT Manager at a Food and Active Pharmaceutical Ingredient Manufacturer of a globally traded company.   He is currently completing his Ph.D. in Information Technology.

September 22, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...