Gaining an understanding of biometrics
With the latest iPhone X, Apple is introducing new facial authentication functionality using IR sensors. So, is facial authentication the future of biometric security, or is this technology still not quite ready for mass adoption? And, conversely, are fingerprint authentication mechanisms going to remain relevant in the long term?
Convenient security
Passwords have been used for decades to authenticate computing systems, so why use biometrics? The simple answer is convenience. Biometric systems – whether based on fingerprints, iris scans, or facial recognition, are much more convenient to use than passwords, and in the real world, convenience results in greater security.
While well-formed passwords – essentially long strings of random characters and numbers – can be an extremely secure form of authentication, the reality is that these kinds of secure passwords are difficult to create and difficult to remember. This means people often create easily guessed passwords such as “abc123”, or alternatively store their password in easily reachable places – which defeats the whole object of having a password.
Biometric security uses a form of identification inherent to us, which means we can never lose or forget our passwords. Biometrics does not require us to input a long string of characters either. Instead, we just submit unique elements of our physical being (eyes, fingers or face) to a simple scan. These days, the default state of a smartphone is locked by biometrics.
Biometrics is not fool-proof, in fact it may be easier to lift someone’s fingerprints than to steal their memorised password. However, the very convenience that it grants means that devices and systems which use biometric authentication often result in greater user compliance, and thus better overall security on average.
Fingerprints vs. faces
Two of the most popular biometric systems today are fingerprint scanning and facial recognition. Each has its own unique pros and cons and are being used to great effect in the latest smartphones and consumer devices. Fingerprint scanners – Until Apple introduced the easy-to-use fingerprint based TouchID biometric system in its 2013 iPhone 5s, many of us did not use passwords on our smartphones. For those who did, it was often a simple pattern or short 4-digit pin at best. By introducing quick, easy to use fingerprint scanning that was turned on by default, Apple started a biometric revolution.
Fingerprint scanners are most commonly either optical or capacitive. Optical fingerprint sensors basically take a photo of the finger and compare it to a fingerprint on file. They have the benefit of easier integration. However, they can have recognition issues due to dirt, oil, and contamination, and can be more easily misled (by an image of a fingerprint) than capacitive sensors.
Capacitive-based fingerprint scanning maps the valleys and ridges of the finger by measuring electrical current. Since they require an actual physical finger, they are harder to fool. In addition, they are more resistant to dust and contamination, although water can still hinder the recognition process. It must be acknowledged though that capacitive touch sensors are more subject to wear over time than non-contact optical sensors, unless special measures (such as protective coatings) are taken. Most smartphone handsets, including Apple’s iPhones, use capacitive touch sensors for fingerprint recognition.
How unique are fingerprints? The answer is more complicated than it seems. The individual ridges and valleys which mark our fingers have been shown to be incredibly unique. However once that three-dimensional shape is transferred to a two-dimensional surface, errors can arise.
For fingerprint scanners, this can be even more pronounced. The act of squeezing our finger onto a small two-dimensional surface introduces significant distortion. In addition, a fingerprint scanner in a consumer device needs to have some allowance for error so that a slightly sweaty finger or a finger that is pressed off-angle can still unlock the device. Apple has estimated that this reduces the uniqueness of fingerprint authentication on an iPhone to 1 in 50,000.
In addition, it is possible for a sufficiently motivated criminal to lift a fingerprint, for instance off a smartphone itself, create a silicone model of a finger and then use that to access a fingerprint-secured system. While this disqualifies fingerprint scanners as a secure authentication method for enterprise, industrial or mission critical systems, the convenience of fingerprint authentication makes them still sufficient for most consumer applications. In addition, combining fingerprint scanners with other methods such as passwords can be used to create highly secure two or three-factor authentication systems for enterprise systems and other applications which require high levels of security.
Facial Recognition – With the iPhone X, Apple has introduced a new type of facial recognition system which takes advantage of IR sensors to improve security. By using depth sensing technology, it aims to overcome previous challenges associated with facial recognition – such as the ability to spoof faces using photographs.
In fact, Android smartphones have had facial recognition as an authentication option for quite a while now, but security issues have meant that it is never been heavily advertised as a feature. Based on the front-facing camera, Android facial recognition uses a photo of the user’s face along with Google’s facial recognition algorithms to determine a match.
Newer Android smartphones from Samsung complement facial recognition with iris scanning – this increases uniqueness even further, as even genetically identical individuals such as twins will have different iris patterns. Unlike faces, irises also tend to stay the same over time regardless of age or health, and aren’t obscured by hair or makeup.
While faces and irises are extremely unique, image-based biometrics can be tricked by high-resolution photos and they are also affected by ambient lighting conditions. This can be acceptable for environments such as passport control in airports where environmental lighting is regulated and users are monitored for spoofing, but it is problematic for mobile devices like smartphones.
To overcome most of these challenges, the new iPhone X’s FaceID uses IR depth sensing technology, similar to that found in Intel’s RealSense cameras. The new iPhone’s facial recognition relies on IR sensors and lights to map a 3D image of the face. The face is first illuminated by an IR flood light. Then an IR dot projector shines 30,000 points onto the subject’s face. The IR camera then captures this IR image and compares it to the facial recognition data stored on the device.
Compared to purely visual facial recognition systems, this type of IR-enabled depth-sensing facial recognition system can be much more accurate. The depth sensing aspect means that the system can’t be fooled by photos, and Apple claims that while TouchID is unique for 1 out of 50,000 people, its FaceID is unique for 1 out of 1 million. Since IR light goes beyond the visual spectrum, it is also not subject to the whims of ambient lighting conditions such as low light or bright sunlight.
Is it foolproof? Well FaceID cannot be fooled by photos, and even realistic masks created by Hollywood special effects artists have failed. However, using a sophisticated process involving 3D printing and physical access to an authenticated user, researchers in Vietnam have claimed to have created facial masks which can fool the system.
While it is not impossible to fool, the sophistication and effort required to compromise FaceID shows that facial recognition using IR depth-sensing technology is a legitimate biometric authentication technique that balances convenience and security for consumer applications.
Biometric system design
Building a secure biometric system goes beyond simply choosing a secure biometric method. The storage and retrieval of biometric information should be secure as well and ideally isolated from the rest of the system.
Apple’s TouchID achieves this through what it calls the ’Secure Enclave’ – an ARM-based coprocessor with its own dedicated flash storage. Fingerprint information goes through a one-way hash function, and the hash of the fingerprint is stored in memory separate from the rest of the system. By hashing the fingerprint, it is impossible to reverse-engineer the fingerprint from memory. By isolating storage and processing of fingerprint information from the rest of the system, even a compromised smartphone does not leak fingerprint data or allow access to the fingerprint-based authentication system.
Similarly, Android based handsets store encrypted fingerprint data in a secure part of the system known as the Trusted Execution Environment (TEE). The TEE is isolated from the rest of the system and doesn’t interact directly with user-installed applications.
Choosing the right biometric
The use of fingerprint and facial recognition in more recent smartphone offerings has popularised their use and encouraged implementation into other consumer devices. For wearables and mobile/handheld devices especially, they present a quick and convenient way to enhance security through easy-to-use authentication.
While biometrics may never surpass well-formed passwords in terms of being truly secure when used on their own, their convenience often results in stronger overall security in real world applications. They are also a great way to enable two or three-factor authentication for existing security systems.
About the author:
Mark Patrick is Supplier Marketing Manager, EMEA at Mouser Electronics – www.mouser.com
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
