A few years back, biometric data from the US Office of Personnel Management (OPM) was stolen in a much publicized breach event. Unlike accounts, usernames, and credentials, this biometric data cannot be changed and is permanently linked back to an identity. For this reason, the safety of biometric data is an important consideration.
Multiple techniques are available for taking digital biometric information and creating attack tools like fake fingerprints. These are used to bypass biometric scanners or even falsify traditional paper-based applications that use ink-fingerprint techniques.
Although many vendors seem to regard biometrics as a holy grail for authentication, large-scale breaches of biometric data and the inability to rest its source highlight a flaw in this approach. For these reasons, biometric data should only be applied for authorization – never for authentication alone.
As we reviewed early, authorization, in the simplest terms, is the permission to perform a task. It is the ability to proceed without verifying who you are or who you say you are. The most common form of biometric authorization used today is Apple Pay. When placing your finger on the touch identification sensor, you are authorizing payment.
Authentication, however, is the verification of you as a person and who you say you are. It does not authorize you to perform any tasks; it just proves your identity. Authentication is primarily performed today by usernames and passwords, two-factor authentication, smart cards, and other techniques like one-time passwords. They generally tie secret knowledge to a second physical media or to the creation of a unique code of which only you have knowledge. The various components of an authentication system are designed to prove your identity, but they do not authorize you as a person to anything.
So, here is where the problem lies. Some biometric technologies are blurring the line between authorization and authentication. They are taking a sophisticated approach based on technology to identify an individual (authentication) and are now merging it with the permissions to perform a task (authorization). When biometric data is compromised, security will suffer and subsequently be used to infiltrate either the user’s identity or the ability to perform tasks.
Although OPM is the first major breach of this type, it does have far-reaching ramifications. The biometric data stolen can be used to craft authorization and authentication attacks against anyone breached, including some of the highest valued personas and assets in the world. Either type of attack would easily and completely bypass traditional username and password paradigms if biometrics alone is used for both. This is why there needs to be a separation between authentication and authorization and why the definitions between the two need to be clearly understood.
Biometric data is like any other form of data – it gets stored electronically. This biometric data is usually encrypted, and various forms of key mechanisms are used to ensure that one data source alone cannot reveal its contents. Vendors claim biometric data is not hack-able, but history has shown us, from the Enigma machine to the weaknesses uncovered in RSA Keys, every type of encryption can be, and will be, compromised. It is just a matter of time, persistence, and a computational speed that prevent this from happening.
While there are systems that can validly claim to be impossible to hack TODAY, that claim only has a finite lifetime. Biometric identities are stuck with you for a literal lifetime. You cannot change your fingerprints or the blood vessels in your eyes. So, by the time we are old(er), there is a good chance that the system securing our biometric data will have been compromised. Considering that we have computers from the 1950s still running air traffic flight control, power plants, and other infrastructure, it is reasonable to assume that some of today’s systems and databases may also be around in 60 years’ time – a sobering thought!
There is one final discussion point that’s worth noting: The debate regarding biometrics is not new. The ability to steal someone’s likeness is not limited to science fiction and has been documented many times in Internet memes and on TV shows like MythBusters. What is new is the extent that hardware and software vendors are adopting biometrics as the next-generation of security solutions.
In the last 10 years, we have seen fingerprint readers on laptops (most of which have been cracked) and facial recognition software that uses local cameras to verify user identities as part of a login prompt. In fact, most Android phones suffer from these flaws, and it has been proven that 3D printed masks (heads) can trick these systems. This next-generation push of biometrics applies multiple techniques for facial recognition (visual, infrared, etc.) and ultimately stores the data electronically, just like every previous technology has done. These devices are still computers with storage devices – encrypted or not – and biometric information needs to be retrieved somehow to complete the authentication process. Therefore, somehow, sometime, someway it will be compromised. A threat actor just needs to find that inevitable “weak link” in order to implement a successful attack vector.
The OPM breach has shown it is possible to steal biometric data. Consumers and businesses adopting biometrics need to be mindful of implementing separation of tasks and to protect accordingly. The explosion of biometric technology is not far off if we continue to blur the lines of authorization and authentications. As long as we can keep the two separate and distinct, the risk can be managed, and the future resultant predictions of identity chaos can be avoided.