Biometric Authentication: Advantages and Potential Vulnerabilities
The voice on the other end of the line sounded like her brother.
That was why a Calera, Alabama woman handed over personal details to the caller.
Unfortunately, the soundalike was a scammer, and that scammer locked her out of her Facebook account. From there, the fraudster scammed people using her information.
The Calera woman was the victim of a concerning scam targeting consumers. Using artificial intelligence, scammers can create soundalike versions of real people and convince their loved ones to hand over information.
Even more concerning? The scammer could access the brother’s voice through his own social media posts.
Yet the concerns about cloning go beyond scamming people into handing over personally identifiable information. A.I. can be used to crack the biometric technology that keeps our devices, servers, and buildings secure. And we may not be ready to counter it.
What Is Biometric Authentication?
I can’t imagine what we did before keycards.
Everyone carried a heavy keychain inserted into a door lock that could easily be picked.
Then came keycards. We can simply wave one of these magic cards in front of a reader and gain access to our hotel rooms and offices. It’s far better security than those old-fashioned keys.
Of course, security experts soon began to realize how easily that sort of technology could be faked. That doesn’t include the possibility of the physical card being stolen and used.
One asset that isn’t as easy to steal is the human body.
That’s why biometrics stands to transform the space. Using your eye, fingerprint, entire face, or voice, security experts can authenticate a person, and that can’t be faked.
Or can it?
Biometric authentication is using a person’s unique biological characteristics to verify their presence.
Yet artificial intelligence is evolving quickly. Already, police are seeing scammers faking people’s voices and faces. A man in Brazil even taped victims’ faces onto dummies and used them to fool facial recognition technology in various banking apps.
If scammers can use A.I. to get around biometric identification protocols, what does that mean for our bank accounts? Our mobile devices and computers? Our security access at work?
Despite all that, biometrics remains safer than other ways of securing devices, apps, and physical spaces.
Think about it:
- Locks can be picked.
- Passwords can be guessed or brute-forced.
- Credentials can be swiped from your device.
All it takes is a crafty hacker.
Types of Biometric Authentication
1. Fingerprint Authentication
I have a loved one who has no fingerprints. None.
She’s worked with her hands a lot throughout her life, and those ridges have simply smoothed over time.
Normally, it isn’t a problem unless you plan a life of crime (actually, in that case, it could work in your favor).
Yet, with biometrics becoming more popular, fingerprints are becoming an important part of everyday life. I unlock my laptop using a fingerprint. My husband needs his thumbprint to unlock his smartphone.
Fingerprint authentication takes advantage of the unique ridges in everyone’s fingers. We’re born with those unique characteristics, making them tough to replicate.
Yet even for those of us who have fingerprints, there are flaws with fingerprint biometrics.
The biggest is that they can be hijacked. All a scammer has to do is access your fingerprints, which are likely on file somewhere, and find a way to use those fingerprints to bypass security.
2. Voice Authentication
In recent years, voice recognition has become a popular way to authenticate someone.
Your voice has a unique sound, also known as your “voiceprint.” Voice recognition software allows you to simply say a passcode and gain access to a system or unlock a door.
The best thing about voice authentication is that it’s hands-free. This can be very useful when approaching a door while loaded with items.
Yet there is one area where voice biometrics beats all other types: the car.
We’ve probably all asked a voice assistant to make a call or read back a text while we’re driving. Trying to type in your passcode or slip your face in front of the screen is dangerous when operating a vehicle.
If your phone doesn’t unlock using your voice, head to your accessibility settings. This feature is available for iOS. With Android, the feature was disabled, but you can still use Google Assistant while your phone is locked.
As demonstrated above, artificial intelligence allows scammers to trick people. Could it trick voice recognition software? In time, it’s possible.
3. Iris Authentication
Scanning your iris is a faster, more accurate way of authenticating a person.
In seconds, a system can scan your eye and match it to a previous scan in a database.
Iris scans take a look at the 240 different features in your iris. They create a pattern.
There are some downsides to iris authentication, though. The biggest is that the equipment is much more expensive than the technology used for fingerprint authentication.
Also, some find taking and verifying iris data more intrusive than other forms.
4. Facial Feature Authentication
If you have a relatively new smartphone, you can use your face to unlock it.
I have loved ones who refuse to upgrade their phones because they want to stick with the old fingerprint unlock.
It’s so easy, though. You simply hold the phone in front of your face, and it unlocks.
Facial feature authentication isn’t just for smartphones.
You’ll find facial biometrics in airports, office buildings, and financial institutions around the globe. And using facial features for authentication is only likely to increase in the coming years.
The biggest concern about facial biometrics is security. With growing awareness of technology like deep fakes, consumers are understandably worried about our faces being on file somewhere.
Yet there’s another worry about facial recognition. Our faces are everywhere.
Google your name and check out the publicly available images. Do you show your face on apps like Instagram, TikTok, or Snapchat? Are you sure someone couldn’t grab one of those images and use it for identity theft?
Our faces are unique, but scammers can track down those images far more easily than our thumbprints, the details of our iris, or our voice.
Advantages of Biometric Authentication
Now that we’ve reviewed the basics of biometrics, it’s time to look at the pros and cons of using it. Let’s start with the advantages.
1. Tougher to Crack
Before biometrics came passwords.
I’d like to say that it’s going well for us, but it’s not.
Hackers have been guessing passwords since the dawn of the internet. And newer technology has put them ahead of the game.
- They can guess passwords using password-cracking software.
- They can trick you into downloading a keylogger that captures every stroke, including your usernames and passwords.
- They can steal that sticky note you attach to your computer that lists your passwords.
None of that is a possibility with biometrics.
Yes, biometric authentication may have weaknesses, but it’s still tougher for someone to steal than text-based passwords.
2. Convenient and Effortless
The thumbprint reader made it so much easier to get into our phones. Even computers now come with fingerprint readers. Simply set your finger or thumb on the reader, and voilà, your laptop is unlocked.
Now, I simply lift my phone to my face, and it unlocks.
The same goes for unlocking doors. Instead of waving a card in front of a door or tapping a code into a number pad, you stand in front of a reader. It might sometimes take a little longer, but it’s a hands-free way to gain access.
3. Non-Transferrable
Costco recently tightened its rules about IDs. You’ll have to show an ID that matches the membership card at self-checkout.
Why? Because members have been sharing cards with family members, neighbors, coworkers, friends… They could slip through the self-checkout without catching the attention of an ID-checking cashier.
You can no longer hand your Costco card over to your lookalike sister. Not unless you’re okay with loaning her your driver’s license. Even then, if she plans to pay using her credit or debit card, the names won’t match.
This sort of benefits transfer has been happening for years, from teenagers borrowing adult driver’s licenses for beer purchases to entire dormitories sharing one Netflix account.
Biometrics doesn’t just make password sharing tough. It’s impossible. You can’t share your iris or thumbprint with friends and family members who aren’t beside you. Someone can’t steal those things easily, either.
4. More Secure
I don’t fly very often, which means security has changed every time I pass through the Nashville airport.
The latest change is the use of facial matching, which I experienced when I flew to my niece’s graduation in June.
TSA ran my driver’s license through a reader, which used biometrics to match my face to the one on my license. No flying under a fake ID.
Similar technology may eventually be implemented at venues, schools, and everywhere enhanced security is necessary.
That means these places will be safer for all of us. Yes, biometrics has weaknesses, but it’s safer than having an employee eyeball your driver’s license and compare it to your face.
Biometric Authentication Vulnerabilities
I’ve detailed a few disadvantages of biometric authentication above. Let’s go through them in a little more detail.
1. Identity Theft Gets Serious
Cleaning up the mess can be a pain if someone swipes your Social Security number and name.
What happens if someone manages to access your iris scan or fingerprints from a database on a server somewhere?
What if someone grabs your face from an Instagram selfie or your voice from that podcast you briefly hosted? What if that data is used to create new accounts or commit fraud?
Battling biometric identity theft could bring challenges we haven’t seen before. Unlike a Social Security number or bank account, we can’t grow a new iris or change our fingerprints.
The increasing reliance on biometric authentication brings new concerns for security professionals to address. It may be difficult to prevent information theft of this nature.
However, identity theft protection services could give you the peace of mind you need.
Services like Aura, LifeLock, and IdentityForce will monitor things and alert you if fishy behavior is suspected. Best of all, they’ll help you clean things up if you ever fall victim to an identity thief. Having a backup plan or safety net such as these services might be the best plan in the future.
2. Data Breaches
Biometric theft can also affect you as a consumer. Consider the following:
Someone makes it past a face, eye, voice, or fingerprint scan, gaining access to a business’s server. Your payment information is stored on that server, and the criminal can grab that information while posing as an authorized user.
Your physical safety could also be at risk. Someone could use stolen credentials to get through security at an event venue or access a secure area of a building you’re in.
This sounds scary, but it’s important to be aware of these risks so security personnel can protect against them.
3. Privacy Concerns
We hand over our payment information to businesses every day.
We sometimes even provide personally identifiable information like our Social Security number and birthdate, especially when getting medical care.
Allowing someone to record an imprint of our iris, thumbprint, voice, or entire face gets a little intrusive.
Privacy concerns have already been raised about facial recognition technology. Just how safe are we when our face can be used to identify us? If someone could scan a room with a smartphone and get information on everyone there, how could that be weaponized?
For that reason, people may opt out of using biometrics. If a portion of the population is noncompliant, biometrics will be less reliable for security.
4. False Readings
Biometrics can be sensitive.
As mentioned above, my phone’s facial recognition doesn’t work if my face is obstructed. (Didn’t we all learn that during our COVID mask-wearing days?)
Luckily, smartphones default to a passcode, so it’s a mere inconvenience.
What if a system relies solely on biometrics to authenticate someone?
With iris scans, a slight head tilt can sometimes affect the reading. The same goes for fingerprint readers. That’s why you’ll often be asked to provide multiple readings in different positions to create the “template.”
That template brings another problem. Over time, it can age, which means the system might see a mismatch simply due to a lack of quality in the original.
As we established, fingerprints can rub off. And if you have dirt on your fingers or your hands tend to run cold, you could have difficulty getting a reading.
This can be resolved by having a backup method for authenticating people. You won’t want your development team locked out of their offices because their face or iris no longer matches what’s on file.
A passcode that they can use as a backup will at least keep them from being locked out.
I can see a problem with that, though. If you don’t use a passcode daily, do you remember it well? I have my phone passcode memorized, but that’s mostly because I entered it multiple times a day for years. Plus, if my phone ever restarts, I must input that code.
Additionally, if someone with ill intent wants access, they can default to the passcode.
5. Identical Twins
One last weakness in facial recognition relates to identical twins.
Yes, it’s not an everyday problem, but 12 in every 1,000 births brings twins. Most are fraternal, but enough are identical to make it an issue.
That could be a challenge for facial recognition, which still has difficulty differentiating between identical twins.
The irises and fingerprints of identical twins differ, which may bring a good argument for using iris or fingerprint scans over facial recognition.
Conclusion
No matter how we feel about it, biometric authentication is here to stay.
By highlighting its weaknesses, experts will have the information they need to help minimize scams.
Meanwhile, it’s also important to monitor how fraudsters use biometrics for identity theft. That way, we can ensure we’re protecting our devices and spaces while keeping our fingerprints, irises, faces, and voices from being duplicated and used. We also will be able to know whether we need services such as Aura to act as an alert system and failsafe should the worst happen.
Whatever the case, we have an interesting decade ahead of us regarding biometrics.