Biometrics is supposed to be one of the foundations of a modern authentication system. But many biometric implementations (whether fingerprint or facial recognition) can be wildly inaccurate, and the only universally positive thing to say about them is that they're better than nothing.
Additionally, and this can be critical, the fact that biometrics are misperceived as highly accurate may be enough to deter certain fraud attempts.
There are a variety of practical reasons why biometrics don't work well in the real world, and a recent article by a cybersecurity specialist at KnowBe4, a provider of security awareness training, adds a new layer of complexity to the problem of biometrics.
Roger Grimes, an advocacy evangelist at KnowBe4, wrote on LinkedIn about the National Institute of Standards and Technology (NIST) assessment ratings. As he explained, “Any biometric vendor or algorithm developer can submit their algorithm for review. NIST received 733 submissions for its fingerprint review and more than 450 submissions for its facial recognition reviews. NIST accuracy targets depend on the exam and scenario being tested, but NIST is aiming for an accuracy target of around 1:100, which means one error per 000 tests.
"Hasta ahora, ninguno de los candidateos presentados está cerca", escribió Grimes, resumiendo los hallazgos del NIST. "The best solutions have an error rate of 1,9%, which means almost two errors per 100 tests: 100 and certainly far from the figures advertised by most suppliers I have been involved in many deployments large scale biometrics and we are seeing far higher error rates - false positives or false negatives - than even what NIST sees in the best-case test of scenario lab conditions I regularly see errors at 000:1 o menos.
Let that sink in for a moment.
In independent tests, many biometrics simply don't accurately deliver what they promise. On top of that, many vendors, including Apple (iOS) and Google (Android), make marketing decisions in their settings, where they choose how strict or lenient the authentication is. They don't want a lot of people incorrectly blocked from accessing their phones, so they choose to make it less strict, effectively giving a green light for more unauthorized people to access the device.
Remember those videos showing phones letting in a phone user's children or siblings when facial recognition is used? That's a big reason why.
Another key factor is theoretical accuracy vs. actual accuracy. Consider two popular methods of phone authentication: facial recognition and fingerprint recognition. In theory, facial recognition is much more demanding because it can take into account a larger number of data points. In practice, however, this often does not happen.
Have you seen children or siblings accessing the phone through the fingerprint? Facial recognition has to deal with lighting, cosmetics, changing hair, and dozens of other factors. None of this comes into play when using fingerprint recognition.
There is also a problem of distance. With facial recognition, a device must be at a precise distance from the face to read it accurately, not too close and not too far. Personally, I use an iPhone with Face ID and typically see glitches 60% of the time. Then I adjust the difference a bit and if I'm lucky my phone unlocks. (Again, this is not a problem with fingerprints.)
Note: Why do many banking apps treat check scans (yes, some businesses still use checks) in a more sophisticated way? The app will usually ask you to "zoom in" or "move back" before taking the control picture. Why can't facial recognition do the same?
Also note that from an authentication perspective, many biometric implementations are a joke. Why? Because when biometric authentication fails, access is by default on a phone's PIN code.
In other words, if a thief wants to bypass biometrics, all they have to do is fail once or twice and then deal with the easiest PIN to crack. what good is it It's clear that major phone providers use biometrics less for authentication or cybersecurity than for convenience. It is a way to access a device without having to enter a PIN.
As loose as it sounds, Grimes argues that the situation is probably worse. “The NIST tests are the best-case scenarios. All of them are terribly inaccurate. Security is overpromised in almost all situations,” he said in an interview.
Grimes also expressed concern about the immutable nature of biometrics. If a password or PIN is compromised, it's easy to generate a new password or PIN. Even a physical token can be replaced. What happens if biometrics are compromised? You cannot easily change your face, your retina, your voice or your fingerprints.
“Once stolen, how do you get them back? Grimes said, adding that reverse-engineering biometrics is entirely possible.
The fundamental problem here is perception and characterization. These biometric efforts, as currently implemented, are little more than convenience. (Don't get me wrong; as a naturally lazy person, I'm head over heels in love with comfort.) But they are offered as cyber security friendly. And as a result, users and technologists will rely on biometrics as a protective measure.
There are many ways to securely implement biometrics. Retinal scans are generally safe, and fingerprinting works well for people who have properly scannable fingerprints. But voice biometrics, currently used by various financial institutions, is still too easy to fake.
This brings us back to parameterization decisions. If the parameters are strict enough, even facial recognition can become a security mechanism. In short, biometrics is a great convenience. As a security defense, most current implementations are not enough.
Copyright © 2022 IDG Communications, Inc.