Biometric spoofing is harder than people think
Biometric authentication is highly robust, and the latest solutions offer considerably greater security than their authentication predecessors: PINs and passwords.
But as biometrics moves into new areas such as payments and access control, privacy and security concerns are rising. Biometrics has long been subject to scrutiny, with many elaborate examples of people working to trick biometric sensors to crack devices in the media and online.
It is important to shine a light on the reality of biometric spoofing.
The first use of fingerprints as forensic evidence was in an Argentinean court case in the late 1800s. With the technology still in its infancy, this was done manually and by eye, comparing latent residual prints lifted from crime scenes to charts of inked fingerprints obtained from the suspects at arrest.
A few decades later, the FBI began collecting fingerprints of criminals and civilians. The bureau also introduced the automated comparison of fingerprints by computers in the 1970s. These “traditional representations” have now been standardized by ISO and ANSI.
The earliest and simplest of these matching devices were easy to spoof. Really, all you needed was a photocopy or a good image of a fingerprint to make a successful spoof.
But as biometrics moved to more advanced technology, the game for biometric "spoofers" has changed and the task of crafting fake fingerprints is considerably more difficult.
The biggest boost for biometric security, however, came with its introduction into mobile phones.
Before the widespread integration of fingerprint sensors in smartphones, the technology underwent significant evolution. No operator wanted to use large biometric sensors in modern phone designs. Sensors had to become much smaller to reach the perfect price and design point for the mobile world, but this meant needing to capture data from a smaller surface area of the finger.
To maintain the security of these smaller sensors, algorithms evolved significantly in order to utilize a greater amount of data per unit area. These mobile-driven hardware and software changes resulted in the optimized image capture of modern touch sensors.
As a result, tricking these systems now requires a considerably higher level of detail to be reproduced correctly for a match to be successful, far beyond rudimentary gummi bear spoofs and photocopies.
Compromising fingerprint authentication via spoofing can still be done, even with all the technological advancements. However, it now requires considerable care, skill, money and time. And to start, a good latent print.
To retrieve a latent print that’s high quality enough to work, you either need a willing volunteer to lend you their finger, or the commitment to stalk a victim until a viable fingerprint can be retrieved. Even with a decent latent print, modern spoofs then require advanced photoshop skills and/or a lab to successfully convert latent prints into effective moulds.
So, what about those articles boasting how easily they have hacked the latest smartphone device’s fingerprint sensor?
In fact, there are only two instances of fingerprint spoofing seen in the media nowadays: proof of concept and cooperative spoofs. Lay enthusiasts and media go through the effort of setting up a lab to create spoofs with latent fingerprints either from themselves or cooperative volunteers. Even the most successful of these take months of work, a highly skilled team and the perfect scenario of circumstances.
Put simply, the effort required for spoofing modern fingerprint sensors cannot be applied at any scale. Each biometric spoof needs to go through the same laborious process and clinical conditions. So, if you can bring together a willing group of spoofing enthusiasts, tricking a biometric device could earn you 15 minutes of fame on the internet, but it is ikely to be conducive to a successful criminal business plan.
Spoofing biometrics remains technically possible, and there will always be those up to the challenge of trying to hack the latest technology. But the reality is that modern biometric solutions require more time, skill and, frankly, luck, to successfully spoof than ever before. Not to mention that tireless R&D work is continuously strengthening spoofing resistance. And, as use cases start to combine multiple biometric authenticators, such as combining fingerprints with face or iris to perform an authentication, spoofing will only become more complex.
By comparison, hacking PINs and passwords is considerably simpler and more scalable, making it far more lucrative. And criminals generally take the path of least resistance.
For the average consumer, greater use of biometric authentication is not only a means of simplifying authentication; it dramatically improves the security of their devices, applications, and personal data. With PINs and passwords still the most common authentication method outside of mobile, it is imperative that the true security and advanced nature of modern biometric authentication solutions are understood.