Biometrics Institute CEO outlines strengths and vulnerabilities of biometric security
Biometrics Institute CEO Isabelle Moeller recently penned an opinion-editorial emphasizing how stakeholders must balance the strengths and vulnerabilities of biometric technology, as its credibility relies on the industry’s efforts to collaborate globally.
The recent rise of biometrics deployments in consumer services has confirmed spoofing as a vulnerability that needs careful management.
Moeller states that the weaknesses in biometrics have “spawned a race between those creating and applying the solutions.”
She adds that while all biometric systems have some flaws, what really matters is how these vulnerabilities are mitigated.
She highlights two factors that can determine the effectiveness of a biometric solution, both of which require some trade-offs in order to achieve a useable solution.
“Firstly, the solution is only as good as the biometric data it enrolls and then recaptures each time the user authenticates,” Moeller says. “The recaptured ‘image’ can be impacted by myriad factors depending on the mode being used. Ambient noise can interfere with voice recognition, for example, eyelashes can obscure an iris image, varying skin conditions can impact fingerprints and so on.
“Secondly, the matching process also depends on how tightly the solution’s parameters are set. Insisting on too high a degree of similarity between the stored and presented image creates too many ‘false negatives’, where the genuine user is denied access, and the system rendered unusable.”
She points out that a hacker never needs to replicate an individual’s biometric image entirely, but rather, replicate it only enough of it to dupe the system. Therefore, if the matching process isn’t accurate enough it leads to ‘false positives’, where fraudulent users are given access and the system is breached.
Moeller also notes that the choice of biometric modality can have a big effect on the outcome as some biometrics are better suited to particular use-cases than others.
For example, fingerprints leave a latent image on the data capture surface, which make them ideal for criminal identification. However, the same latent image can be copied, replicated and used in a spoof attack.
Irises leave no replicable trace which makes them far less useful in criminal applications. Digital pictures of people’s faces are readily available thanks to social media, which means that face biometric solutions have to work harder than ever to verify their subject, using 3D mapping and liveness detection techniques.
Fortunately, the developers of these technologies are responding by using new, cheaper multispectral sensors (which simultaneously capture multiple biometric images within a narrow spectrum) to significantly improve the industry’s ability to detect false biometrics.
“Although improving spoof detection is important, trying to chase a perfect anti-spoofing technique for any biometric is a fool’s errand,” Moeller says. “Try as the industry might, it cannot prove a negative; it can never say that a capture device is completely foolproof, simply because it can’t be tested against the unlimited universe of current and future spoofing techniques.
Moeller emphasizes that a “single biometric solution is not a ‘silver bullet’ and, in many cases, should be deployed as a factor in a multifactor authentication solution.”
She adds that biometrics’ credibility, as well as the security of the users of the technologies will be determined by the industry’s ability to identify and adhere to best practice.
“Only by sharing live deployment experiences, establishing guiding principles, creating best practice guidelines and promoting the responsible use of biometrics globally, can the industry truly claim to be representing the interests of end-users,” Moeller says. “Biometrics may be perfect, but our use of them is not. As the adoption of biometric technologies continues to accelerate, it is our collective responsibility to ensure we strike the right balance between delivering a great user-experience and mitigating security risks along the way.”
Earlier this year, Moeller wrote an editorial that explores the benefits and challenges of deploying biometric technologies at national borders.