▶ 6.6 Biometric Authentication
In biometric authentication, the computer collects a biometric measurement from the user, compares it to data in its authentication database, and recognizes the user if the measurement closely matches the database entry. Most biometrics require specialized readers. Laptop computers may incorporate fingerprint readers into their keyboards (FIGURE 6.20). Fingerprint readers also appear in many smartphones. Apple and Samsung have also incorporated camera-based authentication of faces and irises, respectively.
FIGURE 6.20 Biometric fingerprint reader on a laptop’s keyboard.
Courtesy of Dr. Richard Smith.
When a system authenticates someone using a password or token, the system performs an exact match on the credential. The system rejects the authentication on even the slightest mismatch.
In biometric authentication, the system measures some aspect of the person’s body and constructs a credential from those measurements. Such measurements are never precise in the technical sense; a series of measurements may be similar, but they are almost never identical.
To perform a biometric authentication, the system first collects a measurement from the person (FIGURE 6.21). This is often an image of some sort: a two-dimensional representation of a fingerprint, an iris, the shape of the hand, or the waveform of a spoken passphrase.
FIGURE 6.21 Elements of a biometric system.
The image is not itself the credential. The biometric system must analyze the image to create the credential. This process is often called “feature extraction” because it distills the image down to its basic features. The process discards the “noise” inherent in such images and identifies the key features that distinguish one human from another. These features are measured and structured in a way that they can be reliably compared with other readings from the same person.
Next, the biometric system compares the credential constructed from the person to biometric patterns stored in the authentication database. In general, the system measures the mathematical distance between the credential and the pattern it has stored for that person. Typically, a measurement from the right user should yield a close match to the pattern. Thus, the distance between the pattern and the credential should be small. If the distance is too large, the system concludes that the credential does not match.
6.6.1 Biometric Accuracy
A typical human body may go through a broad range of experiences, and these cause visible changes. The body may be hot or cold due to changes of weather or clothing. Daily activities may make body parts unusually damp or dry. Fashion decisions can affect skin color, facial or body hair, or even the amount of the body that is visible to sensors.
A successful biometric sensor must be largely immune to these changes. People don’t want to select clothing or decide on hand washing based on the needs of a biometric system. In any case, the biometric sensor must be able to adapt to a broad range of appearances.
A biometric sensor must always balance itself between being too strict and being too tolerant. If too strict, the sensor won’t correctly recognize the people it was programmed to recognize. Authorized users will put their fingers on readers and not be authenticated. Such users may be able to succeed by trying again, but regular failures can lead a site to abandon the system. On the other hand, if the sensor is too tolerant, it may recognize one user as another or allow an unauthorized person to masquerade as someone else.
These errors play an important role in testing and assessing biometric systems. The two types of errors lead to these two measurements:
False rejection rate (FRR)—the fraction of readings that should match an existing credential template but do not match it.
False acceptance rate (FAR)—the fraction of readings that match an existing credential template but should not match it.
In the first case, false rejections, the system rejects an authorized user. Although these don’t immediately compromise security, a high false rejection rate reduces the computer’s availability. In the second case, false acceptances, the system authenticates the wrong person. The second measurement, the FAR, gives us a basis for estimating the average attack space for a biometric.
With a biometric, it doesn’t really make sense to calculate a search space, per se. Because the FAR represents a statistical estimate, it makes more sense to calculate the average attack space from it. For simplicity, we assume that the entire population uses the biometric. We take the FAR statistic as a fraction, AFAR, and use this equation:
For example, if the FAR is 1 percent, the fraction AFAR is 0.01. The average attack space is the inverse of 0.02 or 50. This suggests that, on average, we will trick the biometric sensor in one out of 50 readings from the wrong people.
Many people find biometrics fascinating, and some will buy and use them if the price is right. This has produced a marketplace in which there are many low-quality products. Vendors of such products might speak proudly of a “99 percent” or “99.9 percent” accuracy rate, suggesting a FAR on the order of 1 percent or 0.1 percent. Neither of these are especially impressive when compared to passwords.
Biometric systems often include a “sensitivity” setting that we can adjust to try to achieve particular FAR and FRR levels. The two settings, unfortunately, exist in a balance; when one goes up, the other usually goes down. Some operators seek an ideal point in which the FAR and FRR achieve the same rate.
6.6.2 Biometric Vulnerabilities
Let us look at the five types of authentication vulnerabilities listed in Section 6.1 and apply them to biometrics. Each vulnerability also indicates whether it often poses a risk in practice.
Clone or borrow—Often a risk in practice.
This vulnerability has been very popular in motion pictures; the hero or heroine collects a fingerprint, a scan of an eye, or spoken conversation and uses it to clone the appropriate physical feature. In fact, this can often work with commercial devices. Researchers, technical magazine writers, and television experts have cloned fingerprints, faces, and even irises to fool biometric readers. In 2013, a Brazilian physician was charged with fraud for using cloned fingerprints so that coworkers did not have to show up at work. Some clones required special work, while others were depressingly easy. In all cases, though, it would require a strong threat at least to carry out the attack.
Sniff the credential—Often a risk in practice.
Most biometric readers connect to the protected system through a cable, usually USB. If attackers have access to the hardware, they may install a sniffer like those used with keyboards. Later, the attacker could transmit a sniffed credential down the same USB connection. This is more challenging if the biometric reader is physically built into the computer’s case. For example, some laptops have a built-in fingerprint scanner. This attack would, at the very least, require a strong threat.
Trial-and-error guessing—Slight risk in practice.
In this case, we present a series of biometric readings in hopes that one matches the legitimate user. For example, a group of five people can provide 50 fingerprints. This makes success likely if the fingerprint system has a FAR of 1 percent. An attack team of five people, although small, still would indicate an extreme threat.
Denial of service—Possible but less likely in practice.
When we try to adjust a biometric system to reduce the FAR, the FRR often increases. Thus, as we try to reduce the likelihood of allowing the wrong person in, we increase the likelihood that we won’t let the right people in. This is a self-inflicted difficulty, caused by trying to make the system too safe.
Retrieve from offline—Possible but less likely in practice.
If an attacker intercepts the credential pattern database, it may be possible to forge biometric credentials, which then could be transmitted across a USB connection, pretending to be from the actual biometric reader. Some biometrics vendors argue that this is impossible or at least impractical. In practice, it appears to be a real possibility. However, there are no simple tools to do this, so it would only be the province of an extreme threat.
None of these attacks are the province of a weak threat. There are a few attacks that a strong threat might carry out, and a few that would only be mounted by an extreme threat. Therefore, biometrics are clearly usable in the face of a weak threat, and possibly in the face of a strong threat.
Biometrics should not be used for remote authentication. The biometric reading must be collected by a sensor residing within the authentication mechanism’s trust boundary. Credential sniffing poses a serious attack vector.
Mobile Device Biometrics
Biometrics are particularly appropriate for mobile device applications. Mobile devices tend to belong to individuals, and biometric authentication can be tied to the individual owner. The device design incorporates a reliable trust boundary, making digital biometric replay attacks impractical. Replay attacks using copies of fingerprints or other personal features may still be feasible.