Monday, April 27, 2020

What's the connection between gummy-bears and biometrics?

Biometric verification and identification have been around for a while – in 1892 fingerprints made their debut when they were used by an Argentinian inspector to bring justice to two sons that were murdered by their own mother. Biometrics have been already used for a while via fixed public scanners, to identify individuals at workplaces, airports and governmental services.

The first mobile device to feature a fingerprint scanner was the Motorola Atrix, that launched in 2011. Motorola featured an optical sensor that worked so poorly that Motorola decided to discontinue it with later models.
Motorola Atrix

It wasn’t until Apple first launched the iPhone 5s, that fingerprints started to receive massive adoption from smartphone users. The iPhone 5s featured a capacitive scanner that was cleverly located under the home and essentially kicked off the mobile biometrics revolution that eventually commoditized fingerprints and facial recognition to even the most basic and entry-level models.

Additional biometric modals were soon added such as facial recognition, iris scanning, voice and more. While they do provide a smooth and password-less verification experience, there’s a caveat. All biometrics suffer from one fundamental flaw – unlike passwords that can be replaced, once your biometric features have been compromised and spoofed, there is no way to replace them, unless filling off your fingertips or getting facial reconstruction are viable options. This is also the reason why biometric information such as fingerprints are considered extremely private information and there is a lot of controversy on storing nation-wide, centralized biometric depositories as they tend to draw a lot of attention from malicious actors. Just consider the hack to India’s biometric repository containing personal information of over a billion citizens. Compromised individuals would never feel secure again using their fingerprints or iris scans as a method of verification, as this data could already be on sale for a dime-a-dozen in the dark web, paving the way to identity theft of the compromised individuals.

The Good
Mobile biometrics have definitely set a new bar for user experience and convenience compared to conventional methods such as passwords and OTPs. Great efforts are made to prevent even the slightest of friction – the FaceID is a great example of this. While TouchID provides an almost seamless experience, as the user merely has to use the HOME button to unlock the device, as they have always done. But Apple continued to invest resources to make this experience even more seamless, when they introduced the FaceID that only requires a quick glance and BOOM! The device is unlocked and ready for use. Similar efforts are being made by all device manufacturers and Apple are not alone in this race.

The frictionless factor is not the only one in play here – users are also not required to memorize passwords when using biometrics, which removes a lot of “mental friction” and frustration of having to manage multiple passwords. Although this is not entirely true since mobile biometrics are stored on device, and any time a user wishes to “bind” a new device to their account, they are required to enter their password once more – we’ll touch on that a bit later in the article.

Lastly, there is the security factor – passing around biometrics is a lot more difficult than giving away a password. Although in some cases this may not be entirely true as we will soon describe. In addition, with mobile biometrics there is also the PIN Code fallback, that appears after being rejected by the biometric system. This essentially means that the security level of mobile biometrics are equal to that of a standard, 4-digit PIN Code.

The Bad
So, what do we have so far? No need to memorize passwords, frictionless experience and improved security. It seems that the industry has finally figured it out, right? WRONG!
Let’s start with the main limitation of mobile biometrics – since the biometric data used is extremely sensitive, it is problematic to store it in the cloud or in central location, therefore these technologies are purely client-based. What this means is that the user needs to re-enroll on every single device they use, as oppose to a one-time enrollment (which is the case with Verifyoo). When re-enrolling on each device, for instance for banking applications, the password is once again required and along comes with it all the problems of password recovery and management.

Biometrics are also susceptible to spoofing (AKA presentation attacks) since they use visible features such as face, fingerprints or voice. One of the most disturbing examples was demonstrated by Jan Krisller, a biometrics specialist from Germany. Jan managed to recreate the iris features required to successfully verify no other than Angela Merkel, the chancellor of Germany. Jan didn’t have to work too hard, as the data was publicly available online for anyone to download and exploit. Link to the article:

Surprisingly, fingerprints are no different and Jan also managed to recreate the chancellor’s fingerprint features and bypass the biometric verification. Researchers from Japan even concluded that fingerprint features can be easily extracted from peace-sign selfies, see the article here:
Unsuspecting victim of fingerprint identity theft

Voice can also by synthesized using pre-recorded data of the victim, which can be used to bypass dynamic voice recognition even when it requires the user to repeat random sets of words.

Settings aside spoofing issues, biometrics also do not require the user’s consent during the verification process. The perfect example can be seen in this article, where a 7-year old bypassed his father’s iPhone fingerprint lock while he was sleeping, to make purchases in the iTunes Store. In this case the damage was several hundreds of dollars, but it could have ended much worse. Facial recognition can also be used to track and spy on individuals without their consent.

Nowadays with the COVID-19 epidemic biometrics are facing additional challenges, such as facial recognition limitations – as people have been accustomed to wearing masks. Or the mass market of public fingerprint scanners, that took a huge blow as people refrain from physically touching surfaces in public – see article.

The Ugly
Aadhaar is India’s national biometric system as well as the largest biometric ID system in the world. Unfortunately, it keeps getting hacked -

Did you know that aside from being super delicious (my own humble opinion), gummy bears can also be used to hack fingerprints? See it live in this YouTube video:

An iphone 6 being hacked using a gummy bear

But that’s not all, there’s a variety of methods to spoof fingerprints, in this article you can get a closer look on 7 different ways to beat fingerprints.

Facial recognition is no different - according to a study that was done on 110 different devices, in 4 out of 10 facial recognition can be circumvented using just a 2D photo or video. An example can be seen in this video of a Samsung S10 being unlocked using a video:

How can Verifyoo help you?
Verifyoo carved on its flag “Privacy, Security and Usability.” The data used by Verifyoo’s verification systems does not include any PII (Personal Identifiable Information) and conforms to the privacy requirements and regulations (e.g., GDPR, California Privacy Act).

This allows Verifyoo to store the data centrally or on the cloud and provide full flexibility to our clients, as they can utilize the centralized identity to verify users from practically any mobile device or platform.

For more information visit: