Question

Course : Physical Security

Submit a paper on the weaknesses of biometric authentication

Assignment is worth 50 points and 10% of your grade

• Submit a paper on the weaknesses of biometric authentication
• There are numerous examples of weaknesses, write about the ones which interest you the most
• Do NOT use bullets, that is not APA format!
• Paper MUST be submitted in APA format
• Propose a mitigating control or controls to help overcome the weaknesses identified in your paper
• Submit at least 2 but no more than 4 pages double spaced
• No photos or graphs
• Reference all sources used
• Individual work and NOT a group effort

Answer 1

Authentication is the process of determining whether a person is who he or she claims to be. Biometric is one authentication method. It consists in identifying people by recognizing one or several physicals characteristics. It is probably one of the future main solutions for providing authentication. Biometric systems have a great potential to provide security for a variety of applications, systems are nowadays being introduced in many applications and have already been deployed to protect personal computers, Banking machines, credit cards, electronic transactions, airports, high security institutions like nuclear facilities, Military Bases and other applications like borders control, access control, sensitive data protection and on-line tracking systems. Even biometrics may improve security in different environments and serve lot of purposes, biometric systems, like any other security system, have vulnerabilities and are susceptible to threats. Biometrics are definitely better than passwords when it comes to security, but they aren't fool-proof.

Despite the benefits, as It’s faster and more convenient for users, no need to remember password. And also Strong authentication since biological characteristics are distinct , there are some flaws still must be addressed.

Biometrics are inherently public, on the other hand A password is inherently private because you are the only one who knows it. Of course hackers can acquire it by brute force attacks or phishing, but generally, people can’t access it. Biometrics seem secure on the surface. After all, you’re the only one with your ears, eyes, and fingerprint. But that doesn’t necessarily make it more secure than passwords. Your ears, eyes, and face are exposed. You reveal your eyes whenever you look at things. With fingerprint recognition you leave fingerprints everywhere you go. With voice recognition, someone is recording your voice. Essentially, there’s easy access to all these identifiers.

Second thing is Biometrics can be Hackable. Once a hacker has a picture of someone’s ear, eye, or finger, they can easily gain access to their accounts. While Apple’s TouchID was widely accepted as a biometric advancement, famous hacker Jan Krissler was able to beat the technology just a day after the iPhone was released. The hacker obtained high-resolution photos of the politician’s thumb from press conferences and reconstructed the thumbprint using VeriFinger software. Eye scanning is also not secure we can fooled the system by keeping the contact lenses over a photo of a user’s eye.

Third thing is that some methods can’t work for some people . For example, it is impossible to use fingerprint authentication for someone who has no hands. Some behavioral authentication methods can’t work if something is changed in your life. For example if you have new shoes, perhaps your gait will change, and it can be a problem to authenticate you. Furthermore if one of your fingers is severely hurt, the fingerprints authentication will not work. Some characteristics as your face can also changed with the age. Moreover, most of the biometrics authentications systems are still in developing state and it can be expensive to install them.

One example of this is While Apple’s TouchID was widely accepted as a biometric advancement, famous hacker Jan Krissler was able to beat the technology just a day after the iPhone was released. Likewise, researchers from the Chaos Computer Club created fake fingers to unlock iPhones. Krissler showed how easy it is to steal a public figure’s identification when he recreated German Minister of Defense Ursula von der Leyen’s fingerprint.

Controls to help overcome the weaknesses

If an attacker revealed the template structure he/she can provide fake artifact to the biometric device that can bypass the matching unit or algorithm. These systems are vulnerable to attacks like replay, spoofing and transmission. Spoofing consists of two stages: “first, capturing the biometric sample belonging to the enrolled user and second one is creating a copy of the captured sample by means of an artifact” [1]. There are several techniques to overcome spoofing vulnerability which have been recently projected and tested both for software and hardware for biometric systems.

“Liveness Detection” is one method for anti-spoofing. The intention of this technique is to detect a biometric sample whether it is provided by a live human or it’s a copy which came from work of art (Fake). This liveness can be attained by detecting physical properties of the live biometric “e.g. electrical measurement, thermal measurement, moisture, reflection or absorbance of light or other radiation”. We can mitigate it by skin resistance also “Because human skin has a layered structure and the layers have different electrical conductivities, conductivity has been suggested as a feature to recognize fake fingers” [1].

Educating the public about Biometrics will help greatly to solve many problems and help in the growth of this industry.People are understanding the wide use of technology and can introduce certain risks to individual privacy. So, the business organizations should understand this and introduce policies and develop some assurance models of privacy protection for their customers. This raises the need for understanding Biometrics from both the individual’s and organization’s perspective [2].

The fact that a Biometric cannot be changed makes the theft of Biometric data a problem of top priority. Certain algorithms are used by organizations to convert the Biometric into a Binary file which is stored in a database. There should be people supervising and safeguarding the Biometric Devices and databases. These databases should be placed in inaccessible locations. Even if an attacker has the data, the corresponding Biometric cannot be regenerated with this data unless the algorithm is known. Once the attacker gets the algorithm used for conversion, he can make use of the stolen information.

So, one way of protecting the stolen data is to use complex algorithms which are difficult to crack. It’s also a good practice to change these algorithms at random intervals. Another way is to encrypt the saved data so that it’ll be impossible for the hacker to decrypt and use it. Instead of saving the Biometric information as binary data, it can be hashed using any hashing algorithm and then saved as a reference string. While verification and identification, the sample template should again be converted into a hash value and then be compared with the reference value. Thus, the 13 direct access to binary data can be prevented. The branch dealing with the encryption of Biometric data is called Biocryptics [3].

1]Qinghan Xiao, "Security issues in biometric authentication," Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC , vol., no., pp. 8-13, 15-17 June 2005.

2]  Penny, Wayne, “Biometrics: A Double Edged Sword – Security and Privacy”, GSEC Certification Practical 1.3 (2002), http://www.sans.org/readingroom/whitepapers/authentication/biometrics-double-edged-sword-security-privacy-137 (accessed October 16, 2014)

3]Mjaaland, Bendik, Danilo Gligoroski, and Svein Knapskog. "NISK2009-Biocryptics: Towards Robust Biometric Public/Private Key Generation." Norsk informasjonssikkerhetskonferanse (NISK) (2009).