2

So we all have cameras on our phone, and we all have faces on our bodies(hopefully). We all also have a want to keep our data safe and secure. To that end many companies have tried to make secure facial recognition software or bio metric scans that can't be beaten with a simple picture.

The idea behind it is always the same. We'll use the unique identifying properties of a person to identify them. The idea behind it is pretty solid. However there's always been one problem with it on some of the earlier implementations that were brought out that showed a copy just has to be good enough. With image(facial/retinal) recognition it was beaten with a picture. With full fingerprint scanners it was beaten with silly putty. Now we have new technologies to try and verify them much more "securely".

Microsoft uses Hello, most phones now have a finger scan, and many of these systems with small changes are considered secure. Are they really though? Theoretically most bio metrics can be imitated well enough to fool the scanners with enough time and money.

So this brings the real question into it: How can you confirm they are really that bio metric in front of your scanner?

I've often thought about this and the one theory I've struck upon is using video capture to prove it's a living thing in 3D space(requires two cameras for depth perception), but even then if they wear a good enough mask it can still be fooled.

So how can we ABSOLUTELY make sure that the bio metric we're scanning is the original bio metric and not a good enough recreation out of clay?


Edit: I'm not asking why it's not used much, I'm asking for theoretical ways to make them as secure as possible through changes to implementation. How we currently take steps to make them secure, holes in them, and how we can improve them.

Robert Mennell
  • 6,978
  • 1
  • 14
  • 38

3 Answers3

2

Unfortunately Biometrics are not a good way to identify someone. You may think every part of your fingerprint is unique, but you are wrong on two counts:

  • fingerprints, like everything else, have a finite number of possible arrangements. Large, but finite.
  • the sampling process you use reduces this large number down to a much smaller number

A certain amount of leeway is required when assessing a biometric signature - too strict and day to day differences can make it fail (like blood pressure, a tan, water retention etc); too relaxed and you have too many individuals presenting with the same signature.

As an additional factor, it's helpful, but as a stand alone identifier it is not secure.

@ThomasPornin's answer to Why do we even use passwords / passphrases next to biometrics? explains why.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
1

Great question you have got there! As we say, nothing is 100% secure or perfect. Everything will be fooled one or another way.

Combining more than one biometric is a suggestion! Like, enable the face recon only if the fingerprint is verified. But even if we do that, there is some way , like you said with enough money and time.

while reading upon something recently, read upon how insecure vendors keep fingerprints and other bio details that once it is leaked its like losing our permanent identity. Adding more to that stack maynot be a worth option imho. (referring to the http://bit.ly/1D4fmpt document.)

Would adding thermal scan do any good? May be the thermal signature varies when we wear a mask or add a latex print on finger! ?

Xander
  • 123
  • 4
1

One of the big problems with biometric authentication is what happens if you loose/alter the body part being used (accidents happen) ?
You'd need some way for an alternative verification.
Even if the biometric part would be safe, there would still be the recovery option to attack.

Also there is the general problem that you won't (hopefully) tell someone your password, but if the password is some body part of you, people can see and thus reproduce them. With enough resources I'd bet you can get pretty neat small 3d scanner f.e. Sure you could use (mostly) hidden bodyparts but the only thing i can think of is neither comfortable nor sanitary...

Sorry i can't provide ideas for making biometric authentication safer, but i think the whole idea is a bad one.

SleepProgger
  • 590
  • 3
  • 10