Blog: Opinions
IN THE NEWS: Samsung’s S8 Iris and biometric revocation
This week has seen a couple of interesting pieces in the media around biometrics.
First was Dan Simmons on the BBC showing that HSBC’s voice authentication system couldn’t differentiate him from his twin.
Second was the Samsung S8 iris recognition that could be compromised through photography.
I get quite ranty about biometrics as, despite years of progress, insufficient advances have been made in some key areas. Yet businesses are still pushing it, doubtless partly attracted by huge cost savings made through reducing call centres cost in the case of voice.
Authentication thresholds
The HSBC voice issue was apparently caused by an authentication threshold that was too low. Unlike a password, biometrics do not generate an EXACT match. Hence, a threshold has to be set at which point sufficient matching has occurred to be convinced the user is genuine.
I know a little about voice biometrics, having been involved in a few projects.
The trick is to set the matching threshold high enough to ensure the user is genuine, but not too low for a genuine user to be rejected. It’s the whole false positive / false negative problem that you’ve seen elsewhere.
Similarly, if you get the threshold too low with a fingerprint-based system, pressing a sausage to the reader will authenticate you! I saw a system like this in a datacentre years ago. No-one noticed that the threshold was too low, as everyone was happily authenticating with their finger. It was only when we tested it that we realised the matching criteria was wrong and a hot dog would do it.
Back to voice: twins aren’t that common. Particularly so twins that want to steal their siblings money from their banks. However, I’ve seen voice systems that couldn’t distinguish one male voice from another. ANY male voice would work!
‘Liveness’ is another important factor for voice authentication, but again this is a threshold. Is the voice a recording, or is it really them speaking live? Again, we’ve found it trivially easy to defeat voice liveness checks by recording the user and then messing around with background noise.
Voice morphing is another important area. This affects those in the public domain more; any video or audio source online of your victim’s voice can be manipulated. Samples of your voice found on social networks or TV can be used to create other words; ‘morphing’ your voice to say the authentication phrase.
The voice authentication scene from the movie ‘Sneakers’ is a great, if clunky, example of this.
Morphing technology is advancing faster than voice biometrics; check out Lyrebird for some amazing examples of this.
Impersonation
Biometrics that can be photographed are open to copying. Beautifully illustrated by Jan Krissler, taking photographs of the fingerprints of the German defence minister in 2014, then recreating her prints.
Right up to date; we have the Samsung S8 iris recognition. Vulnerable to exactly the same attack with a good camera.
I question WHY we need iris recognition. Ones fingers are already on the phone, so why lift it to your face to unlock it? Use fingerprints…
Further, is one expected to walk everywhere in public with your eyes closed, to prevent photos of your iris being taken?
Revocation
The part of biometrics that worries me most is that of revocation. I’ve written about this before, but in the event of a breach of a business that holds your biometric (your bank, their 3rd party provider etc), it could be exposed.
Breaches never happen, right?
If breached, revoking biometrics is a real issue. You can’t go get new fingers or irises.
My kids school have just informed parents that the canteen is moving from smart payment cards to fingerprint authentication. I’m really bothered by this. Currently, if the system gets breached the worst loss case is the value stored on the payment card. If breached in future, my child’s biometrics could be compromised.
I’ve tried hard to find information about the providers security, but there is nothing on their web site other than the usual ‘military grade encryption’ guff. Why not publish at least part of their biometric security process for peer review?
Biometric data has ALREADY been stolen
See the Office of Personnel Management hack in 2015: >5.6M fingerprints stolen.
There are other examples…
Advice?
Don’t get me wrong: biometrics has a place. With a second factor (PIN, password etc) then it can make a fantastic authentication system.
Local biometric auth to phones also makes sense compared to pure PIN auth, as the biometric is less exposed to shoulder surfing.
The problem is that biometrics is being pushed as a single factor authentication system. A silver bullet.
Banks and others are understandably attracted by it, egged on by enthusiastic vendors no doubt heading for IPO.
I suggest biometric vendors should spend more time on dealing with securing their biometric systems than looking for new biometrics to analyse. My walking gait? My typing habits? Who cares, if they’re just as exposed to the above security issues as my fingerprints are.