What is a biometric authentication?
If you’re looking for the answer, check part 1 of this blog here. It would be a good thing to read it anyway, as I talk about client side/server side biometrics, some other classifications and this blog is really a continuation of the topic.
Snookers required
Couldn’t help but throw in a term from one of my favourites sports to watch – Snooker. When snookers are required the miss on the ball cannot be declared a miss – meaning, there’s a strict directive to force the leading guy to play vs replacing the ball as normally. We are enforcing a behaviour and there’s no workaround.
Biometrics as a requirement
Now as we enter the area of compliance, where biometric authentication is required by a regulation or policy, we have fewer choices. We can still use client side bio, if no concessions have been made in respect to the recovery procedures and if the strength/security of the authenticators (or implementation) is appropriate. Rule of thumb says – it will cost you more. Just saying…
Remembering that both client and server side validation can be a true bio, let’s move to server side, as I elaborated long enough about the client side in part 1 of this blog.
Server side biometrics
Let’s take a look at a classic flow. Enrolment and authentication. The first time you access the system we need to take the sample of the characteristics we’re going to use later. This may be a fingerprint, but most of the time it’s a picture of the face (selfie) or a sample of the voice (my pet hate in biometrics).
The next time we want to access the service, during authentication, we’ll sample the characteristics again and compare to the original. These days we became very efficient in this with ridiculously low numbers for FAR and FRR (false acceptance and rejection rates). That comparison and decision is of course made server side (stating the obvious here, please remember FAR and FRR may be similar or even the same for both server and client side comparisons). There’s no fallback, no recovery (in principle) at least one that the users themselves can influence without our control over it (a downgrade to a password for example).
Enter the era of generative AI
Nothing lasts forever and things get complex quick. Biometric authentication took a big hit. If we haven’t developed more controls and countered the risks, ‘something you have’ would be in fact – the strongest factor today. As ridiculous as it sounds, passwords (‘something you know’) may just have been stronger than biometrics. Let’s start with voice. According to a research from UCL humans were able to detect only 75% of deepfake voice samples. And homo sapiens is at the top of the food chain when it comes to the voice likeness analysis. That’s a worrying statistic for a start. The other scary thing is that commercial tools are now widely available to produce those. All you need is seconds to minutes of voice samples and the model is trained within seconds. I used 2 minutes of my Identiverse 2022 session from YouTube to clone my voice and produce high quality deepfakes with ElevenLabs. I tested it with two respectable vendors (I am NOT going to disclose which ones) and managed to bypass the voice authentication using AI generated samples. It cost me $5 for the AI component. I will also add, I didn’t splash out on a five grand high fidelity speaker, all I needed was a hundred pounds Marshall bluetooth device, although in one case I had to pass the sample through some filters to work around liveness detection. Is voice authentication dead?Some may not agree, but I think it is. At the very least as a single factor. I’d still use it for usability (identify the user perhaps), but not for security. Even if we manage to deploy some clever countermeasures (like liveness detection) the risk level is so high, that it’s just not worth taking, we are just on the back foot with this. Is voice authentication dead over telephone lines (IVR, low quality) – absolutely yes, beyond reasonable doubt and I will make a significant effort to defend this statement.
Biometric authentication attacks and countermeasures
While some risks are shared between face and voice capture, I will focus on what will become if not already is the most common server side biometrics authentication method – face comparison.
There are two distinctive types of attacks on face biometrics – presentation and digital injection.
Presentation attacks
Prints, cut-out masks, Ethan Hunt/Mission Impossible 3D printed heads, screens – you get my point. We present something to the camera, a physical object that has uncanny similarity to the original. There are many ways we can detect those. One control we could use to counter this type of attack is liveness detection. After all we want a real human being, not a picture or a dead object that resembles the original. We are fortunate that we can do a lot of things to detect presentation attacks, whatever they may be (the same cannot be said for voice). Let me give you two cool examples. My favourite – capillary action. It’s amazing that our phone cameras can see that level of detail. As of today, generative AI is behind on this. The second example may be detecting mimics of the face. If you are still and display no mimics, no muscle movement and you don’t blink – chances are you’re not a live human being. I’ll give you one more. When you take a picture the light is reflected off your face (physics, right?). If you put a monitor in front of a camera, it emits light and again, we can detect it. It’s a cat and mouse game sometimes, as we do have low-glare monitors that we could use to try to fool the system, but that’s beyond the point. All in all, we are kind of on top of the game for presentation attacks. I do however remember many years ago (17 ish?) when Android phones offered the first implementation of face recognition that I could unlock it with another phone that simply displayed a picture of my face.
Digital Injection Attack
Remember me mentioning black holes where the laws of physics break? That’s the aftermath of a combination of generative AI and digital injection attacks. This is the scary bit and the trend. One can probably write a book on these but, let me make the long story short. Let’s say I managed to get hold of a video of you. Either the real deal, the actual video or an AI generated deepfake. If I then manage to inject this stream into the camera performing the capture, most of our liveness checks may just pass. How can you do it? Well, the simplest form is via virtual web cameras. It’s like mounting a CD drive in a virtual machine by loading the ISO file. Ok, you may say, let’s detect if it is a virtual camera. But yet again it’s a cat and mouse game, one that will never give you enough level of confidence. If you ever used identity verification service or any form of face biometrics, you’d probably notice, it mostly happens on a mobile device, right? The reason for that is because mobile phone cameras (and the OS) are far less penetrable (is that even a word?) than a laptop or a desktop. That still doesn’t mean we cannot fool some systems and carry out authentication on a laptop despite requiring a mobile device. Cat and mouse.
We also have a new type of software at our disposal. Face swaps. It’s amazing really, but we can in real time replace our face with someone else’s and the mimics and movements will match. Just google DeepFaceLive or Swapstream dot ai. Super cool and funny at times and never mind the biometrics, they will disturb the society profoundly in nearest future spiking scams and APP (Authorised Push Payment) fraud. If you want to learn more, check iProov’s 2024 Threat Intelligence Report. I guarantee lots of fun reading it. Not just for the geeks either, it’s very eye opening.
So, going back to the process of capturing your face for comparison. We established that we prefer mobiles to desktops or laptops and for the most part you need to use vendor’s SDK’s to incorporate it into your application. Remember – for client side biometrics you only need to be able to do WebAuthN, for server side you need to buy a solution and deploy it. That’s the cost I mentioned earlier. It means we are yet again tied to the devices – mobile phones, and there are circumstances where we just can’t use them. Air travel, working in a basement or faraday cage rooms, laboratories where we wear gloves, traders on the floors still cannot bring their phones with them, that’s just a few examples. Experience is another thing. Would it not be cool if I could open my Macbook, go to my bank’s website and use the camera that is built in to authenticate? Oh, yes, it would not be secure… But maybe there’s a way?
People are still way better than AI (and cooler)
We may not scale or perform as well, but we’re still the bee’s knees.
Before I go any further I want to stress that I have no monetary affiliation with iProov and this is not a sales pitch. I am merely using them as an example of a technical solution that solves a lot of problems that I talked about so extensively. They were also kind enough to provide access for me to test their stuff and it was me reaching out, I have not been approached to write about them.
On a personal level if you ask me if their tech is cool? I think it’s very interesting and creative. First of all, they are allowing the usage of desktop and laptop cameras. It means I can indeed go to my browser and log into a bank using nothing more than the in-built camera. But hold on, what about the worst of the worst – digital injection attacks, faceswaps etc? They developed a few controls (countermeasures), but one of them is so simple and so effective, that I can’t help but tell you about it. Using the light emitted by the monitor they illuminate your face with a sequence of colours. This sequence is unique each time you log in and it only takes a few seconds. You know where this is going, right? They then compare the colour sequence reflected off your face into the camera to see if it matches. I am under no illusion that with a cool photocell and a replay system this couldn’t potentially be worked around, but together with other controls and effectively the defence in depth architecture, as of right now, they are on top of their game. And it also solves many of the use cases I mentioned above. I like the way video is captured, you don’t see the exact picture in detail, a filter is used (I think it’s called vector tracing/line art), which allows you to position well in the oval, without feeling bad about the haircut on the day – at least that works for me 😉 and my messy house decoration background.
It doesn’t come without problems and if you think about it, because we use light, the conditions have to be appropriate. Nothing too ridiculous, but I did experience some problems sitting in my office with 12 strong LED lights above me with an array of monitors shining in my face. But, in their defence I am struggling to do any identity verification successfully in those conditions. But hey, tech can always get better, that’s the fun part of it. Another criticism I heard was that it wasn’t a nice experience being illuminated with the flickering colours. I personally did not find it disturbing at all, but if you suffer from epilepsy, maybe, just maybe it could be problematic – but I have no data to support this claim. I still prefer this to handing off my authentication to the mobile device and an app, from a customer experience perspective. Especially if I don’t have it with me.
Another interesting option here would be using Cascaded Context Trust, to enable biometric authentication cross-channel but without dedicated apps. You could start the journey on an older device with no camera, hand it off to mobile (or someone else’s more modern laptop) and complete it there only to continue on the channel where you started. Since we can use web SDK, no app apart from the built-in browser is needed on the phone.
You can check yourself to see if it would bother you. Want to see it in action? I created a short video showing the authentication process here. I used Ping Identity AIC (Advanced Identity Cloud) integration, which I was also lucky to have access to.
Summary
Hopefully, you now understand the differences and nuances between different forms of biometric authentication. The good news is that the technology still moves forward and vendors do work towards making the digital experience better and simpler, with less friction for us, consumers and our workforce. Imagine – if we can easily identify and authenticate the faces using standard devices, we can let people onto the aeroplanes faster (why checking the boarding card, if it was issued digitally and is linked to an identity), catering or cleaning contractors (whose access is temporary by nature) wouldn’t require access cards, long queues to the sporting events could be reduced, the possibilities are endless!
Another positive thing is that while there are risks associated with generative AI, we don’t get complacent and we continue to secure our resources better and better.