Is Your Heartbeat The Future Of Biometric Authentication?

What are the main vulnerabilities of first generation biometrics?

First generation biometrics are external to the body; you can feel, hear, see and touch them. This makes the much easier to be skimmed and replayed by an attacker. We are already seeing fingerprints being copied from just a picture of a hand, facial recognition systems being fooled by pictures and videos. As the world moves away from passwords, these types of attack are going to continue to rise.

First generation biometrics are also static biometrics; they provide yes or no answers. This means that being able to detect liveness (that there is an actual real person there) is tougher, again making them more vulnerable to replay attacks.

As the world moves to biometrics we will begin to see humans becoming continuously authenticated as they interact/interface with technology. This means that people will be able
to interact with devices and authenticate without even knowing they are doing so. Some first
generation biometrics like fingerprint will struggle to adapt as they rely on a challenge response, i.e. the user needs to put their finger on a sensor to be accepted.

How is the adoption of biometrics developing in general?

The integration of Touch ID into the Apple iPhone 5S in 2011 has caused biometrics to explode into the market as users become normalised with using their biometrics to identify themselves multiple times a day. This adoption of fingerprint biometrics through the iPhone has really brought down the barriers, and now we see biometrics being used in banking Apps, through companies like Daon, who power Mastercard’s Selfie Pay.

We also see Iris being incorporated into Samsung Galaxy Note 7 phones and facial recognition in Windows Hello platform.

However with the increase of use of biometrics we are being see the first signs of how easy it can be to comprise these new forms of authentication. A german chancellor recently had their fingerprint copied from a journalist’s’ photo taken from a distance. The iPhone TouchID sensor was hacked pretty rapidly using play-doh and facial recognition systems have even been hacked using profile pictures from facebook.

There is still a long way to go to prove the reliability and security of biometrics to see a total reliance on them, and to ditch password and pins for good!

What’s your view of the future of authentication?

That’s a good question! As I mentioned before we are seeing some vulnerabilities with first-generation biometrics on the market currently. I think we will see a real increase in sophistication of their Presentation Attack Detection systems (PAD), this is basically the ability to spot when an imposter is trying to pretend to be the actual user. This will allow biometrics like fingerprint to stay
relevant while new biometrics hit the market.

In the near term, I also think we will see a move to new forms of ‘next generation’ like ECG biometrics and behavioural biometrics that have the ability to be more secure due to the internal nature of the biometric. We will also see a move towards more multi-modal solutions where you will be asked for several different factors based on a level of risk.

For example, if you are logging into your online banking from your sofa, you may only be asked for a fingerprint, but if you are trying to access the system while abroad, you may be asked for two or more factors.

In the next five years or so, I think we will see a shift to passive or continuous biometrics. Currently all biometrics on the market are challenge/response biometrics; they ask you to prove who you are and you provide a biometric answer. In the future, you will be continuously authenticated through your heartbeat, behaviour or even DNA!

This will allow devices and applications to automatically know who you are without even needing to ask you. This is where I think the real value in the biometrics market lies.

Quiz: Security in 2017