Biometrics for Identification or Authentication Still Has a Way to Go
PC manufacturers have been introducing biometric technologies into their products over the past several years; the implication being that such technologies are inherently more secure than the traditional password, especially given the lack of attention given to password creation by the majority of users.
Several years ago, MythBusters proved that the fingerprint security system is seriously flawed and can be easily broken, and just last week at the Black Hat Conference, Duc Nguyen, senior researcher at Bkis, proved just how easy it was to circumvent facial recognition technology on laptops using a simple low-quality photograph.
MythBusters Fools Fingerprint Scanner
In 2006, the popular MythBusters program showed how easy it was to fool a fingerprint reader; even though the reader was supposed to pick up on pulse, body heat and sweat.
Using three methods, a copy of a fingerprint etched in latex, a ballistics gel copy of a fingerprint and a photocopy of a fingerprint, MythBusters successfully beat the system. How? By licking the samples to simulate sweat. Although it took three days to prepare, once they'd worked it out, it only took seconds to fool the system. If you missed the episode, we've embedded it at the end of this post.
Mold Fools Hand Geometry Scanner
Last year at defcon 16, Zac Franken said that physical access control systems are shockingly vulnerable, and went on to demonstrate how to bypass a hand geometry scanner by making a mold of his hand using not much more than chromatic dental alginate and vinyl polysiloxane.
As Hack a Day points out, this solution "may not be a completely practical attack, but it does defeat the overall idea of biometrics; biometrics are built on the assumption that every person is unique and can't have their features reproduced."
While the MythBusters and defcon examples clearly show that replicating conditions and bypassing biometric technology is possible, Nguyen's demonstration is by far the easiest to pull off.
Printout Fools Facial Recognition Technology
According to a recent report in the Internet News, although the laptops used in the test (Lenovo, Asus and Toshiba) all have unique algorithms, the basic idea for creating a legitimate biometric login is the same for all three: "A user sits in front of their notebook while its built-in Webcam scans their face to create an image used for future identification."
If you think getting a user's picture is difficult - think again. Nguyen pointed out that with all the user generated and sharing sites like Flickr, Facebook, Twitter and the various chat programs (Skype, MSN etc), finding or simply taking a snapshot of a user is almost effortless.
According to the demonstration, the image size and quality make little difference, as Nguyen proved when he bypassed the security on the Lenovo laptop using a grayscale image. In an e-mail to Internet News, a Lenovo spokesperson pointed out that "the technology looks for eye movement to distinguish between a still photograph and a real person." Nguyen got past that by moving the picture around in front of the camera.
Best Security? A Secret
From a user point of view, the best security is a strong password, something only the user knows. The accepted wisdom at the moment is that a password that uses alphabetical (upper and lower case), numeric and non-alphanumeric characters and has a minimum of eight characters is considered strong. However, this works on the assumption that the system itself has been configured securely, with account lockout after a certain number of failed attempts, and retry delays that get progressively longer with each failed attempt to prevent brute force attacks.
Unfortunately, as we know, this is not always the case. Will biometrics help? Maybe. But clearly not today.
Myth Busters Finger Print Lock
Myth Busters-Finger Print Lock - More free videos are here
Image Credit: Flickr Flick
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
What about iris recognition biometric technologies?
The thing I see most often overlooked in the "How easy it is to beat biometrics" articles is that the best security method is multiple security methods.
If you had to scan your finger, face and have a strong password, that would be greater than 3 times as safe as any one of those three methods.
That's where I see biometrics as being helpful right now even though it's not perfect. So when you say "Will biometrics help? Maybe. But clearly not today" I say it is clearly helpful today if combined with a strong password.
Thanks for the interesting article on biometrics. Unfortunately, the MythBusters video continues to misinform the public. If you want to find out about the current state of the biometrics industry, I suggest visiting industry portals like http://findbiometrics.com
You can also visit SC Magazine and read product reviews such as the Ceelox enterprise grade solution in this review:
http://www.scmagazineus.com/Ceelox-ID-Server-Edition/Review/2564/
You may also be interested in learning about biometrics from the National Institute of Standards and Technology http://www.nist.gov
1851: Only a decade after the invention of the Daguerrotypie by Daguerre and Niepce, the french officer Aime Laussedat develops the first photogrammetrical devices and methods. He is seen as the initiator of photogrammetry.1858: The German architect Meydenbauer develops photogrammetrical techniques for the documentation of buildings and installs the first photogrammetric institute in 1885.
I think it needs at leaast 150 years as well to maturation of this technology. It is end is when we identify the DNA.
MythBusters proved in the August 23, 2006 episode that the specific brand of fingerprint scanner they tested was not secure. That's insufficient evidence for concluding that all fingerprint scanners are not secure today.
Only a decade after the invention of the Daguerrotypie by Daguerre and Niepce, the french officer Aime Laussedat develops the first photogrammetrical devices and methods. He is seen as the initiator of photogrammetry.
If you think getting a user's picture is difficult - think again. Nguyen pointed out that with all the user generated and sharing sites like Flickr, Facebook, Twitter and the various chat programs (Skype, MSN etc), finding or simply taking a snapshot of a user is almost effortless.
http://www.kardeslerrentacar.com That's where I see biometrics as being helpful right now even though it's not perfect. So when you say "Will biometrics help? Maybe. But clearly not today" I say it is clearly helpful today if combined with a strong password.
http://www.hemenarac.com
A photographic image is a „central perspective“. This implies, that every light ray, which reached the film surface during exposure, passed through the camera lens (which is mathematically considered as a single point, the so called „perspective center“). In order to take measurements of objects from photographs, the ray bundle must be reconstructed. Therefore, the internal geometry of the used camera (which is defined by the focal length, the position of the principal point and the lens distortion) has to be precisely known. The focal length is called „principal distance“, which is the distance of the projection center from the image plane´s principal point.
Great information! Very useful for me. Thanks a lot.
The idea is awesome. Congrats.
Thank you very much very nice article
Great information! Very useful for me. Thanks a lot.
The idea is awesome. Congrats.
I think if you use biometrics as a stand along solution, you still face some risks of authentication; however, I also think that if used in conjunction with PINS, Retinal Scans, or even ID cards that biometrics will definitely help increase security.
There are some new installations of fingerprint door locks that use biometrics and pins/keys to help provide the best in protection.
Therefore, the internal geometry of the used camera (which is defined by the focal length, the position of the principal point and the lens distortion) has to be precisely known. The focal length is called „principal distance“, which is the distance of the projection center from the image plane´s principal point.
Onlyy a decadee afterr the invention of the Daguerrotypie by Daguerre and Niepsce, the french offsicer Aime Laussedat develops the first photogrammetrical devices and methods. He is seen as the initiator of photogrammetry.
nakliyatI did not know anything about how much this article helped Biometrics Thanks
thankss
This is a good article.
A lot of people have seen the Myth Busters episode on youtube or on television and have a fear of using biometrics. But, just because they tested an inferior biometric product doesn't mean that all products are junk.
Advances in biometrics has come a long way and the newest models offer the latest in security.