By: Darren Guccione, CEO and Co-founder, Keeper Security
Hyper-realistic silicone masks have recently garnered attention online, particularly for their role in thefts in China. In one notable incident, a thief used a mask to disguise himself as an elderly man, attempting to evade the authorities through false identification. The ease of obtaining such masks raises alarming privacy concerns and highlights potential real-world threats. But what about in the digital realm?
The Vulnerability of Biometric Authentication
Biometric authentication, once heralded as a highly secure method for protecting personal devices and services, is now facing significant threats. Biometric data includes physical and behavioural characteristics like fingerprints, voice patterns and facial features. Traditionally, this form of authentication was considered safe because it required the user to be physically present. However, the rise of technological concerns like AI-generated deepfakes, or physical threats like silicone fingerprint replicas and hyper-realistic masks, could undermine this security.
In China, customised silicone masks derived from 2D images are available for prices ranging from S$556 to S$4,635. These masks have been documented infiltrating different forms of biometric authentication. A study by the Institute of Electrical and Electronics Engineers revealed that while face recognition systems are effective at detecting zero-effort infiltration attacks, they are significantly less effective against presentation attacks using custom silicone masks.
Beyond hyper-realistic masks, other infiltration methods like deepfakes and 3D printing are also advancing. Though these methods require considerable effort and sophisticated techniques, they are worth a cybercriminal’s time and effort for high-value targets.
Misconceptions About Biometric Authentication
Several misconceptions surround biometric authentication, which can lead to an overreliance on this technology without fully understanding its limitations and vulnerabilities. One common misconception is the belief that biometric data cannot be stolen. In reality, biometric data can be compromised, and unlike passwords, once stolen, it cannot be changed. Another misconception is that biometric systems are infallible and cannot be tricked. However, biometric systems can be bypassed using techniques such as hyper-realistic masks, deepfakes or even high-resolution photos.
Additionally, many people assume that biometrics alone provide complete security. While biometrics add a layer of protection, they are most effective when used in conjunction with other methods, such as traditional passwords. Despite their perceived convenience, biometrics are not always the easiest or fastest method of authentication. Factors like environmental conditions, physical changes or technical issues can hinder reliability and user experience.
For example, Apple’s Touch ID stores fingerprint data securely and only prompts a “pass” or “fail” response, enabling access to the application or data if successful. This process offers convenience rather than added security when used alone.
The Case for Stronger Forms of Authentication
Emerging threats to biometric authentication necessitate stronger security measures. Despite advancements, passwords remain a staple in cybersecurity, acting as the first line of defence for protecting online identities and information. Poor password habits and misconceptions about password construction often lead to breaches, prompting a shift to other forms of authentication.
To construct strong passwords, complexity and customisation are paramount. Modern standards recommend passwords be at least 16 characters long, avoiding sequential numbers, birthdays, names or dictionary words. Instead, strong, unique passwords should be used to prevent hacks and breaches.
Passkeys provide a modern alternative to traditional passwords by using public-key cryptography. A private key, securely stored on the user’s device, and a public key registered with the service provider replace the need for passwords. Authentication is streamlined through biometric challenges: the service provider sends a challenge to the device, which signs it with the private key and returns the response for verification. Since the private key never leaves the device or password manager in which they’re stored, passkeys are effective against phishing and other issues like brute force attacks and credential stuffing. Despite these benefits, widespread adoption faces challenges such as inconsistent browser support and user reluctance to switch from traditional methods.
Passphrases offer another secure alternative. Combining random, uncommon words with uppercase and lowercase letters, numbers and symbols makes passphrases inherently longer and more challenging for cybercriminals to crack. Password managers can help generate and store these secure credentials, ensuring strong and unique authentication for every account.
Multi-Factor Authentication for Added Layers
Amid developments in breaching biometric authentication, a multi-layered security strategy is recommended. Multi-Factor Authentication (MFA) requires users to provide more than one form of authentication, combining strong passwords with biometric authentication for example. MFA adds another layer of security, making it significantly harder to compromise an account.
MFA prevents password-related cyber attacks by requiring additional authentication factors. Statistics show that MFA can block over 99.9 percent of account compromise attacks, making it a crucial component of IT compliance and organisational security.
The Enduring Importance of Passwords
Despite advancements in authentication technologies, passwords remain vital in cybersecurity. Biometric data, while innovative and convenient, has inherent limitations and security risks. Once compromised, biometric data cannot be changed like a password.
Passwords, combined with MFA, provide an additional security layer that compensates for potential weaknesses in biometric systems. Regularly updating and strengthening passwords adds a dynamic element to cybersecurity that biometrics alone cannot match.
In conclusion, passwords remain indispensable in a comprehensive security strategy, ensuring robust protection against unauthorised access and data breaches.