Put to the test

Editorial Type: Feature Date: 2019-09-01 Views: 1,088 Tags: Security, Biometrics, Hacker attacks, Testing, Authentication, Data Breaches, FaceTec PDF Version:
The rise of biometrics has brought a rise in hackers trying to fool the system, using spoofs or fake biometrics. One argument to circumvent this is compulsory standardised testing

Biometrics are seemingly all the rage, promising to bring users enhanced convenience and security, while driving the adoption of decentralised authentication (allowing frictionless login from any device, rather than from only a single device). However, with users accessing a device dozens of times a day, the way in which users look at 'security' has changed.

As Steve Cook, head of business development EMEA at FaceTec, comments: "As an alternative to a password or fingerprint to open a device, lenient 'good enough' security options that appear to work, such as face unlock, have slowed centralised adoption, even though, as a biometric convenience feature, it is not secure enough for even small transactions."

There is widespread belief that your biometric data is yours alone and therefore only you can use it. "But the rise of biometrics has also led to a rise in hackers trying to fool the system using spoofs or fake biometrics, like photos, videos and masks, to gain access. Many hardware-based face unlock solutions have already been publicly hacked." However, there are biometric face authenticators that prevent these spoofing attempts, he points out.

"The most important difference between convenience features like face unlock and true face authentication is a technology called 'Liveness Detection', argues Cook. "Biometric authentication is only secure when it concurrently matches images, verifies three-dimensionality (and not a 2D photo, video etc) and detects a live human by verifying dozens of living human traits in real-time. We have witnessed, and engaged in, the public spoofing of highly publicised biometric systems such as Apple's Face ID, whose 3D system was bypassed by Bkav, among many others, using a mask with a paper face glued on, despite claims to be the most secure biometric security in the consumer market," he states.

If it is that easy to spoof a 'security' feature, it is not at all appropriate to use for sensitive account access - like for banking, healthcare, insurance, social networks - or important transactions of any sort, he points out. "In a market where dozens of solutions continue to make unsubstantiated claims of defence against presentation attacks, consumers and organisations alike can become confused as to the validity of their chosen biometric security solution."

To avoid the results of a data breach, such as lawsuits, fines and an irreparably damaged brand, standardised third-party testing is an absolute necessity. "Having compulsory standardised testing - such as we have successfully completed with the ISO 30107-guided NIST/NVLAP-certified iBeta Presentation Attack Detention (PAD) Level 1 and 2 tests - will ensure that biometric authentication software and hardware will be safe for businesses and individuals to use daily."

At least as important, adds Cook, "it will create a solid foundation for building strong, verifiable biometric authentication technology that prospective users will be able to accurately assess before deciding to make a commitment to using it".