SoS Musings #16 - Biometrics Growth, Concerns, and Research
SoS Musings #16
Biometrics Growth, Concerns, and Research
The adoption and implementation of biometrics technology continues to increase. Biometrics can be used to identify and authenticate a person via the analysis and measurement of physical human characteristics such as face, voice, fingerprint, retina, and more. The increasing utilization of such technology has been linked to the need for enhanced security for Internet of Things (IoT) devices, replacement of password-based authentication systems, and facilitation of law enforcement activities. An article in Infosecurity Magazine recently highlighted findings of a report from ABI Research called Biometric Technologies and Applications, which further ignited the expectation of biometrics technology to become an essential factor of a user's digital ID within the IoT ecosystem. Bleeping Computer reported a new attack called Thermanator that can determine passwords by capturing thermal residue on keyboards, thus adding to the collection of password-stealing attacks and further indicating the need to replace passwords with alternative forms of authentication such as those that involve biometrics. Police were able to identify the suspect in a mass shooting that occurred at the Capital Gazette newsroom in Annapolis, Maryland on June 28, 2018 through the use of a facial recognition system. Biometrics offers benefits such as improved authentication and identification of individuals. However, there are still major concerns surrounding such technology.
The increased use and application of biometrics brings with it security concerns. Although biometric authentication offers improved security as the biological data used to verify the identity of individuals is distinctive and impossible for attackers to guess, this technology can still be defeated through the use of methods recently demonstrated by researchers. Recent research has brought further attention to the possibility of fooling different types of biometric authentication systems such as fingerprint scanners, facial recognition, voice recognition, and iris recognition. A team of researchers from Fudan University in China, the Chinese University of Hong Kong, Indiana University, and Alibaba Inc. have demonstrated the use of a LED baseball cap that they created to trick facial recognition software into misidentifying an individual. Researchers at the University of Eastern Finland conducted a study which showed that voice recognition systems could be deceived by voice impersonators, along with different technologies such as voice conversion, speech synthesis, and more. Hackers from the Chaos Computer Club in Germany were able to defeat the iris-recognition feature in Samsung's Galaxy S8 smartphone through the use of an artificial eye, which they created using a digital camera, printer, and contact lens shortly after it was released. The fingerprint scanners on the Samsung Galaxy S6 and Huawei Honor 7 smartphones were successfully fooled by researchers at Michigan State University using an inkjet-printed fingerprint. As methods to trick biometric security systems emerge, advancements must continue to be made against the use of such techniques.
The expanded use of biometrics has also raised concerns in pertinence to privacy. A Wired article in which security and privacy concerns surrounding biometrics are discussed, emphasizes the public nature of biometrics in that the data used for identification are publicly visible unlike passwords or credit cards that are inherently private. A malicious actor could take a high resolution picture of an individual's iris or recover a fingerprint left on glass and attempt to bypass security features in which these physical characteristics are used for identification or authentication. The increasing utilization of biometrics such as facial recognition in law enforcement also evokes the concerns of privacy advocates. A report released by the Center for Privacy & Technology at the Georgetown University law school in 2016 highlighted the storing of facial recognition data of over 117 million Americans by U.S. law enforcement agencies. Critics have expressed fears of the use of biometric facial recognition by law enforcement due to the potential abuse of data, occurrence of errors leading to misidentification, performance of extreme surveillance, and lack of regulation.
Efforts have been made to strengthen the accuracy, security, and privacy of biometric authentication and identification. Researchers at the Georgia Institute of Technology developed a new approach to login authentication called Real-Time Captcha, which improves upon the security of biometric techniques in which video or images of users' faces are used. The application of this technique requires that a user look into the built-in camera of their smartphone and respond to a randomly-selected question appearing as a Captcha within a short amount of time. This complicates the process of spoofing legitimate users. A smartphone fingerprint sensor has been developed by Korean researchers to measure skin temperature and pressure in order to prevent the use of an artificial hand or fingerprint. A 3D facial recognition model called FR3DNet designed by researchers from the University of Western Australia improves upon the accuracy and performance of facial recognition. Major tech company Microsoft has called for the regulation of facial recognition technology by the US government in support of protecting against the threats that such technology poses on privacy. The evolution of biometrics and the implementation of regulations for this technology should continue to be supported by researchers and organizations.
Biometric technology calls for continued advancement as it expands in application. The privacy, security, and performance of biometric technology and standards must continue to be supported through further research and development efforts.