Home Biometrics for Identification or Authentication Still Has a Way to Go

Biometrics for Identification or Authentication Still Has a Way to Go

PC manufacturers have been introducing biometric technologies into their products over the past several years; the implication being that such technologies are inherently more secure than the traditional password, especially given the lack of attention given to password creation by the majority of users.

Several years ago, MythBusters proved that the fingerprint security system is seriously flawed and can be easily broken, and just last week at the Black Hat Conference, Duc Nguyen, senior researcher at Bkis, proved just how easy it was to circumvent facial recognition technology on laptops using a simple low-quality photograph.

MythBusters Fools Fingerprint Scanner

In 2006, the popular MythBusters program showed how easy it was to fool a fingerprint reader; even though the reader was supposed to pick up on pulse, body heat and sweat.

Using three methods, a copy of a fingerprint etched in latex, a ballistics gel copy of a fingerprint and a photocopy of a fingerprint, MythBusters successfully beat the system. How? By licking the samples to simulate sweat. Although it took three days to prepare, once they’d worked it out, it only took seconds to fool the system. If you missed the episode, we’ve embedded it at the end of this post.

Mold Fools Hand Geometry Scanner

Last year at defcon 16, Zac Franken said that physical access control systems are shockingly vulnerable, and went on to demonstrate how to bypass a hand geometry scanner by making a mold of his hand using not much more than chromatic dental alginate and vinyl polysiloxane.

As Hack a Day points out, this solution “may not be a completely practical attack, but it does defeat the overall idea of biometrics; biometrics are built on the assumption that every person is unique and can’t have their features reproduced.”

While the MythBusters and defcon examples clearly show that replicating conditions and bypassing biometric technology is possible, Nguyen’s demonstration is by far the easiest to pull off.

Printout Fools Facial Recognition Technology

According to a recent report in the Internet News, although the laptops used in the test (Lenovo, Asus and Toshiba) all have unique algorithms, the basic idea for creating a legitimate biometric login is the same for all three: “A user sits in front of their notebook while its built-in Webcam scans their face to create an image used for future identification.”

If you think getting a user’s picture is difficult – think again. Nguyen pointed out that with all the user generated and sharing sites like Flickr, Facebook, Twitter and the various chat programs (Skype, MSN etc), finding or simply taking a snapshot of a user is almost effortless.

According to the demonstration, the image size and quality make little difference, as Nguyen proved when he bypassed the security on the Lenovo laptop using a grayscale image. In an e-mail to Internet News, a Lenovo spokesperson pointed out that “the technology looks for eye movement to distinguish between a still photograph and a real person.” Nguyen got past that by moving the picture around in front of the camera.

Best Security? A Secret

From a user point of view, the best security is a strong password, something only the user knows. The accepted wisdom at the moment is that a password that uses alphabetical (upper and lower case), numeric and non-alphanumeric characters and has a minimum of eight characters is considered strong. However, this works on the assumption that the system itself has been configured securely, with account lockout after a certain number of failed attempts, and retry delays that get progressively longer with each failed attempt to prevent brute force attacks.

Unfortunately, as we know, this is not always the case. Will biometrics help? Maybe. But clearly not today.

Myth Busters Finger Print Lock


Myth Busters-Finger Print LockMore free videos are here

Image Credit: Flickr Flick

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.