For many, biometrics are considered the ultimate form of two-factor authentication; where a user must provide something they know in addition to something they have. Most systems currently implement two-factor authentication with security tokens, which can either take the form of a hardware device (such as the RSA SecurID fob) or software running on a smartphone (Google Authenticator), both of which have their logistical problems. Supplanting these tokens with something that is literally part of the user, such as a fingerprint or iris scan, would take a lot of the implementation headaches out of two-factor authentication.
But new attacks have shown that the most common form of biometric authentication, fingerprint scanning, are not nearly as secure as originally thought. The next generation of scanners aim to increase security, but is it too little too late?
High Profile Vulnerabilities
Hacking fingerprint scanners by cloning fingerprints is hardly new, but it definitely got a lot of mainstream attention when it was shown that Apple’s iPhone 5S was susceptible to this type of attack just days after its release. Chaos Computer Club member Jan “Starbug” Krissler created a detailed guide on a how a print could be “lifted” from a smooth surface (such as a drinking glass) and reproduced in a form that can be glued to an attacker’s own finger. A video was released that even showed how to recover a usable fingerprint from the iPhone’s screen using nothing more exotic than a desktop scanner.
These hacks were by no means simple, they required patience, skill, and even some volatile chemicals. But it was very much possible, and anyone who had the drive to follow the widely available information could replicate it on their own without much expense. If somebody wanted into your iPhone badly enough, it was clear they could do it.
Many hoped that the iPhone 6 would pack in a more sensitive fingerprint scanner that would be harder to trick, but upon its release, it was demonstrated that the same method worked on the newer device as well.
But to many, this didn’t come as a surprise. The fingerprint scanner on the iPhone is meant to be more convenient, but not necessarily more secure, than simply using a traditional PIN to unlock the device. For the average user, the iPhone’s fingerprint authentication would work fine, but it shouldn’t be relied on for high security applications.
Hands Free Hack
As if his attack against the iPhone wasn’t enough, Krissler has recently released information on how he was able to to create a duplicate fingerprint using nothing more than high resolution images of the target’s hands.
In his demonstration at the 31st Chaos Communication Conference, Krissler showed how he was able to use images of German Defense Minister Ursula von der Leyen’s thumbs and the commercially available VeriFinger SDK to create a replica of her fingerprint without ever having access to a physical object she touched. Given the availability of high resolution images of public figures, this attack could conceivably have long reaching security implications.
During his presentation, Krissler quipped that “After this talk, politicians will presumably wear gloves when talking in public.” While the statement was in jest, it will be interesting to see if policy on photographing public officials will be in anyway impacted by Krissler’s work.
Next Generation Hardware
With attacks like these already in the wild, it’s clear that fingerprint authentication needs to be rethought. New approaches to fingerprint scanning include what are known as “living biometrics”, where it isn’t enough to simply have an image of a fingerprint, the scanner must also see evidence of living processes.
One such method is finger vein recognition, where the veins in the finger (which are as unique to each individual as the fingerprint itself) are photographed through the use of infrared light. Since the veins are under the skin, there’s no way to duplicate them using images of the hands or prints lifted off of glass, as these only give surface details.
While the technology and method is still being actively researched, the results so far are very promising. Britain’s Barclays bank has announced that this year they will be making vein recognition systems available to their commercial customers, with a full rollout to follow if it’s successful.
While it will be quite some time before we see vein recognition hardware on our smartphones, the technology will one day become common enough that a user’s finger may still end up being as worthwhile a security token as anything currently available.