A BBC reporter recently opened an HSBC bank account and signed up for its voice recognition ID service. His fraternal twin brother then called the bank. Putting on his best imitation of his twin, he easily skirted past the security test, which involves saying, "My voice is my password."
The BBC, which aired the finding last week on its Click technology program, said it is believed to be the "first time the voice security measure has been breached." It marked another dark cloud for the hope of biometrics technology, which is increasingly used at immigration crossings and banks (see HSBC Experiences Voice Biometrics Telephone Banking Fail).
Researchers continue to chip away at notions that biometrics is the silver bullet for solving authentication problems. Biometrics has become familiar to the masses through fingerprint readers on the latest smartphones, but it's a narrow use case with well-known issues.
The world is not becoming a place where biometric detail is getting harder to obtain, says Andrew Jamieson, an expert in embedded systems who works for the innovation group at Underwriters Laboratories. Using passwords for authentication was recognized almost from the start as a bad idea, but "biometric data was public to begin with," he says.
For example: Our DNA is scattered everywhere. Also, the ever-increasing resolution of digital cameras means our fingerprint patterns can be collected with remarkable detail. And irises are not off limits to digital collection either, as German Chancellor Angela Merkel can attest.
"Biometrics are ... kind of broken, but there are ways we can fix that," says Jamieson, who gave a presentation on Thursday at the AusCERT 2017 security conference in Gold Coast, Australia. "I think once again they can be used for good."
Making a Match
Biometrics is tricky because it is essentially taking analog attributes - a fingerprint, an iris pattern - and translating them into digital at varying degrees of resolution. A person's physical attributes are converted into bytes, which are stored in a template.
During verification, there are a lot of hurdles in the analog-to-digital translation. The way you look from day to day or how a finger is presented can all be slightly different from when the template was created. That comparison process must have room for error.
"That match is never going to be perfect," Jamieson says. "We're not comparing two numbers. We're comparing the way something looks."
Facial recognition systems have been fooled into thinking two people who look vastly different are the same by simply wearing eyeglasses. That recent research threw doubt on using machine-learning algorithms, particularly for public-safety applications.
Deeper probing has also uncovered the wiggle room needed for successful, but unauthorized, fingerprint authentication. A team of researchers from Michigan State University and New York University discovered they could create "master" fingerprints that could fool a smartphone's fingerprint scanners up to 65 percent of the time, according to their paper.
Smartphones keep a template of partial fingerprints, which is why even from odd angles the devices only require a quick scan. The researchers concluded it was possible to generate partial fingerprints that would match large numbers of users, a significant weakness.
"Biometrics is not one-to-one," Jamieson says. "It's essentially one-to-many because we have to have those error bars. Does this mean we can take features from multiple people to create skeleton keys? Ultimately you can."
Biometrics, in Context
Despite the repeated glum findings around biometrics, Jamieson says he's actually a proponent, albeit with some caveats.
"We do need to understand how we're going to use them and what the problems are," he says. "We need to mitigate against those problems, the same as we'd do with any other system."
Biometric systems become stronger in context, and that's where big data can help. Location data or knowing a pattern of when someone uses biometric authentication can help the systems make a better judgment on whether to open access.
"You need to make sure the biometric system you are using isn't a single factor because it's essentially useless," Jamieson says. "It needs to be coupled with something else."
That risk can be judged according to the situation. In some cases, a partial fingerprint alone may be fine. But for other transactions with higher risks, the authentication can be escalated, requiring or calling on other information.
He advises that potential buyers try to validate biometrics vendors' claims. For example, there have been claims that templates of biometric information can't be reversed, but they can, Jamieson contends.
New generations of biometric systems will likely show continued improvement. For example, the resolution of fingerprint systems is now about 600 by 300 dots per inch, but newer sensors increase that resolution by up to four times. "I'm hoping it will get better," Jamieson says.