access control

4 drawbacks of biometric authentication

Founder, Privacy PC

Author Bio ▼

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.
October 21, 2019


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

Biometric authentication mechanisms are intended to take the security of users’ login practices to a new level.

Passwords are often criticized for not being effective enough these days, and yet they continue to be the main alternative to the biometrics-based approach. Therefore, a comparison of these two techniques will shed light on their imperfections and weak links. Here we go.

#1. Biometric authentication details cannot be invalidated remotely if something goes wrong

A serious caveat regarding biometric security is that it’s impossible to modify such authentication data remotely. If you are using a password, though, you can easily resort to a recovery option in case you forgot it or your account got compromised.

An extra benefit of this workflow is that you will be able to change the password along the way or further enhance your security by enabling 2FA (two-factor authentication).

With biometric authentication in place, things are entirely different. You cannot alter the previously configured security set-up of a device unless you have physical access to it.

Therefore, if your smartphone is stolen, a motivated thief may be able to use a fake silicon finger, or 3D-printed one, to fool the fingerprint reader, unlock the gadget, and pilfer all of your personal data stored inside it.

#2. The scourge of ‘MasterPrints’ fooling popular smart devices

When you opt for fingerprint-based authentication on a smartphone, you will most likely need to press the sensor multiple times with a single finger to get started. This is because the sensors embedded in such devices are limited in size, and they can only scan a relatively small fragment of your fingerprint at a time.

By capturing partial fingerprint patterns from several different angles during the enrollment, the gadget can ensure that at least one of them will match the impression retrieved from the user during every subsequent instance of authentication.

According to security analysts’ findings, a specific partial fingerprint dubbed the “MasterPrint” – artificially created or real one – can trigger a successful authentication response on roughly 65% of devices. This is an observation made in lab conditions, and the real-life numbers will probably be much lower than that.

Nevertheless, even if this theory holds true for 10% of all smartphones, it means the potential exploitation surface spans millions of gadgets.

#3. Biometrics are immutable

Whereas you can easily change your password in case someone steals it, your fingerprint, iris and other biometric characteristics are unchangeable. If another person has a replica of these, there is pretty much nothing you can do to be on the safe side except opting for passwords or security tokens.

In a massive breach at the U.S. Office of Personnel Management, hackers reportedly stole 5.6 million individuals’ fingerprints. As a result, the affected government employees and contractors can’t be sure that their fingerprint-based authentication will ever be reliable enough.

Drawback 4: Software flaws

Researchers at FireEye Labs discovered a number of critical vulnerabilities in popular Android smartphones that could potentially allow an attacker to remotely obtain the user’s fingerprint and compromise mobile payment workflows.

Thankfully, the vendors have since provided fixes for these issues, but the fact remains that biometric authentication software can turn out to be low-hanging fruit.

Known hacking vectors

Security experts have unearthed methods that may be used by malicious actors to deceive biometric authentication systems. Below is a roundup of these techniques.

Creating a phony fingerprint

With a targeted person’s high-quality fingerprint at hackers’ disposal, they may be able to reproduce this pattern with maximum precision on a slim sheet of silicon, rubber, or other flexible material. To unlock a device, the attacker will then need to put the bogus print on the scanner and press it with his finger to conduct electricity and thereby fully emulate the real-world authentication scenario.

Manipulating an iris scanner

Some iris scanners are easy to fool. It suffices to take a picture of the iris with the average camera in night mode, print the image on paper, and place a wet contact lens on top of it to imitate the shape of the eye.

Compromising the device and extracting biometric data

Cybercriminals may try to take a shortcut and hack the component of a mobile device that stores the authentication details. If an iOS gadget is a target, then the attackers will need to gain access to the Secure Enclave chip. The good news is that a vast majority of crooks lack the expertise to do it. It’s technically feasible, though. In fact, white hat researchers have already done it as a proof of concept.

For Android devices, a similar incursion is doable by breaking into the Trusted Execution Environment (TEE) and pulling off a peculiar privilege escalation stratagem. Fortunately, this exploitation isn’t feasible for most cybercrooks either and there haven’t been any major real-world incidents of that sort yet. However, the mobile threat underground is maturing and such attacks might occur in the future.

Ways to protect fingerprint scanners and prevent unauthorised access

Here is how to enhance the security of your fingerprint authentication routine:

  • Use an anti-fingerprint phone case or oleophobic coating.
  • Attackers typically try to fake the print of one’s thumb or index finger, so use a different one to unlock your smartphone.
  • Leverage a combo of the fingerprint and password or PIN. Although this might be somewhat tedious, it will make the authentication process nearly tamper-proof.
  • Opt for a fingerprint randomizer if available. To use this feature, you will need to enroll several fingerprints, and the device will be asking you to use a different finger each time you try to unlock it.

Biometric authentication is definitely an amazing technology that extends the scope of users’ login options and generally makes the process more effective. However, it’s not flawless.

With that said, it’s in your best interest to make sure you are using it securely. And do not forget about other ways to protect your devices as such things as closing open ports, installing all software updates, and getting an antivirus are still very important security factors.

Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

man reading a tablet, probably the IFSEC Global newsletter

Related Topics

Notify of
Inline Feedbacks
View all comments