The Good and Bad of Biometrics
As part of our ongoing quest to o̶b̶l̶i̶t̶e̶r̶a̶t̶e̶ ̶t̶h̶e̶ ̶p̶a̶s̶s̶w̶o̶r̶d̶ make a passwordless future a reality, Duo has turned heavily to biometrics as a convenient identity verification mechanism for future use with the WebAuthn protocol. Biometrics are great! They’re really convenient, and they can be really secure. However, some implementations are not, and it’s not always clear whether a given implementation is secure. In this article, we want to shed light on the various threats biometrics defend against. We’ll look at what properties of biometrics make them good or bad at defending against one threat but not another. We’ll then take a deeper look at different fingerprint, facial identification and vein scanning technologies, and what makes them strong or weak.
It’s natural to be somewhat skeptical about biometrics being used in place of passwords. After all, biometrics aren’t secret. Let me repeat that, but louder.
Biometrics Aren’t Secret.
Humans leave fingerprints everywhere they go, and in most places it’s unusual to hide or obscure one’s face in public. Huge biometric databases have been exposed in the OPM hack, Biostar leak, and many other leaks. Fortunately, this doesn’t diminish the security properties of biometrics, since we aren’t relying upon their secrecy in the first place. But it does warrant consideration on when it’s appropriate to use biometrics to protect against threats and prevent unauthorized access to our data.
Let’s start with the assumption that anyone who wants to get your fingerprint, or a photo of your face, can get it. When you use a biometric to unlock your phone or log in to your laptop, you’re depending on the fact that it is very difficult for an attacker to fool the biometric sensor, even if the attacker has a perfect 2D image of your fingerprint or face.
When we use fingerprints or face unlock to log in to a website, we don’t actually send the biometric information to the website like we would with a password, nor is it stored by the service provider or site. Instead, the biometric is used to locally unlock a secret key stored on the device (e.g. phone or laptop) and then that secret key is used to log in. Except we still don’t send the secret key to the website because math lets us prove possession of the secret key without sharing it. Only you can unlock the secret key with your biometric and your device. Hmm. Something you are, and something you have. Two factors in one step. That’s darn convenient. What if we got rid of passwords and had only biometrics left? Would that be secure enough?
01. Threat Vectors
It’s easy enough to think of a scenario in which biometrics are weaker than passwords. What if someone could force you to unlock your phone? Using a password feels safer in a visceral sense because nobody can read minds (yet!). However, if we look at all the different possible threats holistically, we see that biometrics are often strong in ways that passwords are weak.
Advantage: Passwords, maybe
There are definitely situations in which a user may feel pressured to unlock their device or log in to an account. In a legal context, a judge or border crossing agent could attempt to compel them to do so. In many jurisdictions, a judge cannot compel a user to reveal a password, but may be able to order a user to provide their biometric. Whether or not either is legal in a given jurisdiction is somewhat less relevant because it could happen anyway. A biometric can be used against the user’s will. A password theoretically allows users to retain the ability to keep their devices locked. Even then, however, it might be bypassed if the authorities want access badly enough.
In the criminal sense, few people will be able to resist threats of violence to prevent their device being unlocked, although it is still a possibility. With a password (and some foresight), users may also have the option to hide their real data in a hidden volume instead of on a main partition. It’s also possible to use a specific fingerprint (say, your pinky-finger) to unlock a duress function, but doing so may be suspicious, and the coercer may compel the user to use their standard biometric anyway.
Despite the advantages passwords have in this threat context, for the majority of people, a mugging or legal judgment is not something they are likely to prepare against specifically because it is an infrequent occurrence. And even then, compulsion is likely to work anyway, irrespective of credential choice.
A very common way to compromise an account is to compromise the device logging on. Whether a PC or mobile phone, devices can become infected by running untrusted applications, visiting the wrong website, or executing untrustworthy email attachments. New threats are being discovered all the time, and often there is nothing users can do to prevent infection until a patch has been developed and rolled out.
If the device you are using to log in to a website is infected, it doesn’t matter whether you log in with a password or biometric. If the malware has the sophistication to monitor the login process, it could just as easily steal any session tokens or cookies that can be used for subsequent access to the account. Because the user is hosed either way, we don’t think there’s an advantage for either passwords or biometrics when the threat context is malware. It’s simply vital to keep your devices updated.
Side note: Duo’s app can perform health checks to help identify when new patches are available for your devices to help protect against malware.
Malware can be one avenue through which an attacker obtains user passwords, although there are many others. Once stolen, a password can allow both future sessions and other services to be compromised from a remote location.
When the threat context is remote attackers, there are many advantages to the biometrics + secret key approach over the use of passwords. The first is that password reuse is a common practice and multiplies the impact of any sort of disclosure of a user’s password. If an attacker places malware on a user’s device and captures their biometric (fingerprint, facial scan, etc.), they cannot easily use that to access other accounts due to the secret keys being stored on a Hardware Security Module (HSM) such as Google’s Titan M chip or Apple’s Secure Enclave Processor. However, if an attacker captures the user’s password, they can then attempt to reuse that password across other sites of interest, such as major banking websites, social networks, and email providers.
But let’s assume the user is doing their due diligence and using a password manager to generate unique, long, random passwords (only 1 in 10 people use a password manager according to av-test.org). If they ever need to copy-paste their passwords into a form field, they can potentially be phished. Password managers protect against auto-filling credentials into the wrong website, but aren’t perfect and must make reasonable guesses on mobile applications which do not have a domain name field to validate. This is one reason why multi-factor authentication (MFA), such as a one-time passcode (OTP) or Duo Push, is important: it provides a second layer of defense in case a user’s primary credential is compromised. But most MFA methods are also phishable, and attackers are starting to build multi-factor automated phishing tools.
Biometrics, in conjunction with WebAuthn and FIDO2, cut through the murkiness surrounding passwords and use strong cryptography to prove to a website that the user is both in possession of the device holding the secret key and has also used a biometric to verify their identity to that device. WebAuthn (used with a proper HSM) is unphishable. The way the WebAuthn proof of identity is constructed, it cannot be created at all if the user is on a phishing site. This completely eliminates phishing and remote compromise of a user’s primary credential.
In order to log in as a victim, the attacker must now either place malware on the victim’s device or steal the device itself in meatspace, re-scoping the threat to a specifically targeted, local attack. Since the biometric is what unlocks the HSM, this reduces the problem to that of simply unlocking the device. To attack this system, one must fool the biometric sensor into falsely validating the user’s identity. Even if it were easy to do so, a remote attacker must now specifically target each user and attack a physical process in the real world. This by itself raises the bar so high that it can potentially eliminate entire categories of remote attacks overnight, simply by adopting a more convenient authentication method.
Local Attackers (non-compulsory)
Advantage: Dependent on Strength of Biometrics
We can vividly imagine a threat context in which a device is lost or stolen and we’re concerned the finder/thief may attempt to unlock it. This is different from the compulsion context in that there is no threat of violence or physical force, but nevertheless a thief may be able to observe your use of the device before stealing it or obtain biometric data afterwards. A thief can take photos to record facial information, videos to record a password being typed, or lift fingerprints for later use.
In this context, it may be less important that your unlocking mechanism is secret than whether an attacker can replicate the physical process. If the attacker is able to record you entering a password, it is trivial to re-enter it on a stolen device. A stolen biometric may be similarly easy to enter or may be orders of magnitude more difficult depending on the type of biometric and sensor used.
02. Evaluating Biometrics
In the following sections, we’re going to evaluate the strengths and weaknesses of three different biometrics: fingerprint scanning, facial identification and vein scanning. Before we begin, we need a framework in which to evaluate them. Biometrics ultimately rely on two key properties: the efficacy of uniquely identifying an individual user and the difficulty for an adversary to spoof a biometric and masquerade as a given user.
For a biometric to be a good indicator of user identity, we must measure something that is both unique and distinguishable between users. Ignoring adversarial tampering for the moment, for biometrics to be effective they must have both low false positives and low false negatives. In biometric parlance, we use the terms False Acceptance Rate (FAR) and False Rejection Rate (FRR) to describe the percentage chance that an incorrect user will be falsely accepted or a correct user will be falsely rejected, respectively.
The FIDO Alliance, the leading authentication standards body, specifies a requirement for certification that no more than 3 in 100 attempts by a valid biometric should fail (FRR) and no more than 1 in 10,000 attempts by an invalid biometric should succeed (FAR). A low FRR is necessary for usability, but a low FAR is far more important from a security perspective, since we really don’t want our devices and accounts to unlock for the wrong person. However, devices will generally lock-down after a certain number of failed attempts, and so the FAR really only needs to be small enough to prevent repeated random attempts from becoming a valid attack strategy.
There is also a third metric, called the Imposter Attack Presentation Match Rate (IAPMR) in FIDO parlance, or Imposter Accept Rate (IAR) / Spoof Accept Rate (SAR) in Android parlance. These metrics attempt to define a generic testing methodology for determining the rate at which an active biometric attack will succeed. While these outlined procedures may show promise in the future, we have no indication they are being used today. Every biometric technique, even within the same sensor category (fingerprint, facial recognition, etc.), is susceptible to different kinds of attacks. Measuring the susceptibility to these attacks depends on understanding and developing testing suites for each biometric method and individual attack type, something that largely involves cataloguing existing known attacks.
Finally, manufacturers only very rarely publish their FAR and FRR rates and do not publish the data upon which these rates are generated. There is a remarkable lack of data across this entire sector, and only a few products obtain some minimum accountability from the opaque FIDO certification. Consequently, in the following sections where we dive into different biometric techniques and their pros and cons, we must rely on deductive reasoning rather than hard data to hypothesize the strengths and weaknesses of each technique. Critically, we observe that the best biometric sensors include some form of liveness check that make it substantially more difficult to spoof the biometric.
03. Fingerprint Scanners
Fingerprints have been used as biometrics for decades. We believe they are unique because the government uses them to identify people. But how unique are they really? For reference, in manual fingerprint analysis by experts, a FRR of 7.5% and FAR of 0.1% is often cited, typically based on a small sample of less than 1000 test cases. However, other studies estimate the FAR rates to be much higher. This is, at best, an order of magnitude worse than the FAR rate of 0.01% that FIDO sets as a standard. Unfortunately, when it comes to electronic fingerprint scanners, there does not appear to be any publicly-available data on the FAR and FRR rates. But let us assume that the FAR rate is sufficient to generally prevent accidental unauthorized device unlocking and look adversarially at fingerprint scanners.
There are currently three main fingerprint scanning technologies: optical, ultrasonic, and capacitive. Optical fingerprint scanners use a scanner to take a two-dimensional image of a fingerprint before comparing it to enrolled fingerprints. As you can imagine, this makes spoofing as trivial as printing an image of a valid fingerprint on a piece of paper. Optical fingerprint scanners are obsolete.
Capacitive fingerprint scanners came next. Capacitive scanners work using a grid of incredibly tiny, incredibly dense electrical switches. When conductive human skin touches one of these switches, it closes the circuit of the switch. The grid is dense enough, and sensitive enough, that the ridges (but not the valleys) of a human fingerprint will close the circuits on all the switches in a fingerprint-shaped pattern on the capacitive sensor. In this way, the sensor obtains a 2D image of the user’s fingerprint that it can compare against enrolled fingerprints. It’s important to note that despite ultimately capturing a 2D image, the mechanics of the sensor require the fingerprint to be electrically conductive. While possible to 3D print or even 2D print such a fingerprint on conductive AgIC paper with conductive silver ink, this is a significant hurdle for the attacker to overcome.
Ultrasonic fingerprint scanning has recently become popular with major device makers such as Samsung and OnePlus. Ultrasonic scanners are distinguishable from capacitive scanners by their ability to scan a fingerprint placed anywhere on the front screen of a mobile device. They use sound waves to construct a 3D model of the finger pressed to the glass, but do not appear to measure the electrical conductivity of the fingerprint, as capacitive sensors do. The main advantages of this approach appear to be in usability.
Ultrasonic scanners allow more flexibility in finger placement and are reported to scan a fingerprint more consistently than capacitive sensors since dirt and oil buildup on capacitive sensors can lead to failures. However, without testing the conductivity of the fingerprint, ultrasonic sensors seem perfectly happy to accept 3D printed replicas of user fingerprints. This has been widely documented by researchers and tech journalists on both the recently-released Samsung Galaxy S10 and OnePlus 7 Pro, flagship phones for both companies. In a strange bug, the S10’s sensor could even be confused by a screen protector, allowing any fingerprint at all to register as valid, although this was quickly fixed.
The 3D printing method is most likely not limited to just these specific phones or manufacturers, but a general attack against the entire category of ultrasonic fingerprint scanners. However, generating a 3D replica from a 2D lifted fingerprint still requires specialized equipment and raises the bar for compromise. It is unclear whether ultrasonic or capacitive scanners are ultimately “more secure,” but while neither is impenetrable, neither are they trivial to bypass.
While not a perfect indicator of “liveness,” the conductivity requirement for capacitive sensors does increase the difficulty of spoofing a fingerprint. One could imagine a dual-sensor that uses both the ultrasonic sensor and the capacitive grid built into the front screen of the mobile device to observe the fingerprint twice. This would increase the difficulty of spoofing the fingerprint to requiring a conductive, 3D print. However, it’s unclear whether the marginal security improvement would be worth the increased cost, especially given other biometric options.
04. Facial Recognition
Perhaps partly due to the deficiencies in fingerprint scanners, and certainly also for convenience, facial recognition has become a more prevalent biometric for mobile devices and laptops in recent years. The latest iPhones (X and 11) and Google’s Pixel 4 have turned to facial recognition as the primary biometric sensor, eschewing fingerprint scanners entirely. Facial recognition uses one or more front-facing cameras to take images of the user’s face, and if it matches the face of the enrolled user, unlocks the device. We understand faces are unique because as humans, we can recognize individuals with very high confidence, but in many ways it is still unclear how effective computer-driven facial recognition really is. The only metric I was able to find was Apple’s claim that FaceID has a False Acceptance Rate of only 1 in 1,000,000 for non-twin adults, or 100 times better than the FIDO standard. However, Apple provides no data for how it came up with this number.
There are two main methods for facial recognition. The first is to use a front-facing camera to take images of the user’s face, extract features such as the relative positioning, size and shape of the eyes, nose and mouth, and compare these features against the enrolled user’s facial features. If they match to a sufficient degree, the device will unlock. However, fundamentally this approach is comparing one or more 2D images against another 2D image in its database. Like an optical fingerprint scanner (an approach which has fortunately been discontinued) this method can be fooled by a high-resolution photo. This “security” mechanism is largely security theater. And up until January 2020, this was the facial recognition used on virtually all Android phones.
The second method of facial recognition may use a front-facing optical camera as well, but primarily relies on an emitter that projects a grid of dots on the user’s face and an infrared camera to observe the user’s 3D facial structure. This method, first shown in Apple’s FaceID and only recently in Google’s Pixel 4, substantially increases the difficulty for an attacker to spoof a user’s face from presenting a 2D image to presenting a 3D image. Upon release in 2017, hackers quickly showed how a face cast and 3D printing could be used to spoof the sensor. However, obtaining precise 3D facial data in the first place is a significant additional hurdle for attackers to overcome, and even then, 3D printing a user’s face is at least as high a bar as 3D printing a fingerprint. This approach is quite strong in practice.
Apple’s FaceID goes further and also implements a liveness detection feature. FaceID will not unlock your device unless “your eyes are open and your attention is directed towards the device.” The Pixel 4, on release, was met with negative attention for omitting this feature. Every bit of additional fidelity helps ensure the user is not only present, but consenting to the biometric being used. Even though researchers at BlackHat this year showed how some funny glasses placed on a sleeping victim could bypass FaceID, if anything, the comical (and largely unrealistic) lengths to which they had to go to bypass FaceID only demonstrate its effectiveness in the real world.
05. Vein Scanners
A promising upcoming biometric technology is vein scanning. As it turns out, near-infrared scanners can see past a user’s skin and detect their vein pattern. How do we know vein patterns are unique? Compared to fingerprints and faces, this isn’t something that most people know intuitively, and there is relatively little open research that seems to directly answer this question. However, if we simply look at my left and right vein patterns (biometrics aren’t secrets, remember), it seems pretty reasonable to imagine that each user’s vein pattern is sufficiently unique to identify them, assuming scanners can measure the vein pattern with enough resolution.
Fujitsu’s PalmSecure scanner publishes a FAR of 0.00008% and a FRR of 0.01% while Hitachi’s Vein ID scanner publishes a FAR of 0.0001% and a FRR of 0.01%, which means that they are approximately 100 times more uniquely identifying than FIDO’s minimum 1 in 10,000 FAR rate (and they also match the FAR of Apple’s FaceID). However, as always, the larger threat most likely comes from adversarial spoofing.
Vein patterns may seem more secret than faces and fingerprints, but this is not necessarily true. At Chaos Communication Congress in 2018, researchers used wax molds over ink-printed paper to fool both Hitachi’s Vein ID and Fujitsu’s PalmSecure scanners. They used an SLR camera with its infrared filter simply removed to take photos from up to five meters away. While it took over 30 days and over 2,500 pictures to successfully hack these scanners, this clearly demonstrates that vein scanning is not a panacea on its own. On the other hand, their story does indicate this is a very significant hurdle for an attacker to overcome, and may be prohibitively difficult in the real world using the same techniques. New techniques will inevitably be discovered and developed to extract vein patterns, at a distance, in the real world.
There are two approaches that can potentially raise the bar still further. Vein scanning and fingerprint scanning both involve placing a finger or hand on top of a sensor, and both can be performed simultaneously, as is done with the M2-FuseID. Amazon may be intending to do this as well with a recent patent filing for a non-contact skin and vein scanner. Requiring an adversary to fool both sensors simultaneously essentially adds the difficulty factors of both biometric spoofing techniques together.
But another way it may be possible to dramatically increase the difficulty for spoofing fingerprints is to add liveness detection in the form of monitoring the pulsing of the scanned veins. This has been proposed in the academic community for many years and in 2013, Fujitsu Laboratories developed a real-time pulse monitor using facial imaging, pointing to the potential for subdermal authentication coupled with facial recognition in the future as well. While vein scanning is only beginning to come to market, it appears to be a very interesting technology to watch.
We have begun to see a widespread shift towards using biometrics as our primary means for user authentication. This is a promising trend, not just for the convenience it brings, but also for the entire categories of attacks, such as phishing, that it will help eradicate. Biometrics may not be suitable to replace passwords everywhere, but on balance I believe they will provide a safer and more secure experience in the vast majority of cases.
When we look at biometric techniques across the different domains of fingerprint scanning, facial recognition, and vein scanning, we see some common lessons from which we can learn. 2D optical scanning is trivial to bypass by simply displaying an image, whether for fingerprints or faces, and possible for vein scanning as well, albeit with a bit more work. Measuring a 3D feature substantially increases the difficulty for the attacker to replicate the spoofed biometric. Measuring multiple biometric factors at once can additively increase the difficulty to impersonate a user. But also, adding an additional liveness check, such as electrical conductivity or recording for eye blinks or vein pulses, can raise the bar even higher.
Another trend catches our eye, and that is that with only a few outliers (Apple, Fujitsu, Hitachi), manufacturers are not publishing even the basic FAR and FRR rates of their biometric sensors, and even when they do, there is no data to back up their claims. The security industry is built upon open standards so researchers can test and remediate implementations that fall short of required levels. In line with this, we depend on our vendors to implement good solutions, so when their flagship devices ship with a security mechanism that is absolutely trivial to spoof, they aren’t just hurting their own product, they are also hurting the adoption and trust in biometrics as a whole.
As we move towards a passwordless future, we have the opportunity to raise the bar substantially by using the best technologies and avoiding the bad, while still maintaining the convenience we have come to know and enjoy.