Biometrics: advantages and disadvantages

[Father]

Biometric authentication is a procedure for identifying a person's identity by providing their biometric data. Its main advantage is comfort, since such a password as an index finger print is simply impossible to forget.

Biometric authentication technologies have already managed to" move " from James Bond films to everyday life. You can use biometrics to pay for online purchases, go to the metro, verify your identity in the car sharing app, and dozens of other services.

Along with the spread of biometrics, the question of prospects is becoming more acute: which biometric password will combine sufficient convenience with high security and become dominant in the coming years. About this – in our article.

Biometric authentication methods​

Currently, two methods are most common:

1. Fingerprint scanning. The most popular and ubiquitous method, which, in particular, is used for issuing modern-type foreign passports, and may become the basis for issuing new-type state passports of the Russian Federation in the future.
2. Face oval scan. It is often found as an element of the checkpoint system of organizations, various state institutions, educational centers, and universities.

The development of both methods of biometrics was strongly influenced by smartphones. Flagship models of the last seven years are being equipped with biometric identification system, Face - or Touch ID technologies.

Artem Ozhegov
Senior System Engineer of ICL Group

Biometric personal data is used all over the world in various fields of activity. Experts conduct research on the use and protection of such data. Without incidents, of course, is not complete. There is a well-known case when attackers used deepfake technology to process photos, create videos, and for several years forged documents for the tax service.

Biometric identification and authentication technologies cannot provide a one-hundred-percent guarantee – the probability of an error or false match is always present. There are international and national standards that set requirements for conducting operational tests of biometric systems, which allows developers to reduce the likelihood of errors.

As technology evolves, there is always someone who wants and will look for an opportunity to use it for illegal purposes. In my opinion, biometrics should be used as an additional authentication factor.

There are other biometrics methods that are used less often for one reason or another. Among them, the following can be distinguished::

• voice;
• wrist vein pattern;
• palm;
• the retina of the eye.

It is important to understand that each biometric "password" has its drawbacks. For example, the voice changes over time and even "in the moment" during colds.

Palm print scanning looks more reliable than single finger scanning, but requires larger hardware, which makes this method less convenient. In addition, the problem of false-negative positives becomes even more urgent, as there are more markers for the system.

The situation with the vein pattern is typical for many northern regions with a cold climate. It will be quite difficult for a person who is dressed in three layers of clothing to bare his wrist at the checkpoint.

The problem of false positives in the biometric system​

Thanks to smartphones, almost everyone has experienced false positives: the phone simply refuses to unlock if the finger, for example, is dirty or wet.

If you project this problem from your smartphone to the banking sector or a security checkpoint, then the situation is more unpleasant than critical – you will have to apply your finger again until the system recognizes it.

Igor Afonin
Head of the Competence Center for Multimedia and Unified Communications "T1 Integration"

On the one hand, the use of biometrics is an undoubted convenience, but, on the other hand, it creates certain risks. Your face and voice are not hidden from outsiders in any way. With enough video or audio recordings, you can train a neural network to either generate an image of your face or simulate your voice. Fraudsters can also get fingerprints. Perhaps the most effective approach is the following: for non-critical financial transactions, it is quite possible to use biometrics, for example, for paying in the subway by face, and for accessing accounts, you should always use two-factor identification: for example, biometrics and a confirmation code, or a password and a confirmation code. Authorization using only one method carries a high risk of data theft.

The problem is much more acute with false positive positives. They are only possible because no system compares the full fingerprint with the one available in the system: this would kill the convenience of the method and make biometric identification long.

The system matches individual markers, the number of which is set in it by the developer or manufacturer. If you have the time and desire, you can pass yourself off as another person by fingerprint in almost any system.

A similar case occurred in India, where one person tried to impersonate another by using the top layer of skin from the pad of his finger during an exam. He managed to deceive the system, but not the examiner.

Konstantin Korsakov
Chief Architect of RooX

Biometric identification at the current level of development is quite accurate, but still a probabilistic technology. And if a false negative result will only cause a little inconvenience (you will have to use a password or present a document), then a false positive result will lead to a leak of your data or loss of funds. Therefore, biometrics should always be combined with some other factor.

Also, the task of canceling biometric data has not yet been solved. You can change your password, reissue your key, but changing the iris is not yet available to the average user.

At this stage of development, the biometric identification method cannot act as an independent one, and is used together with traditional methods, primarily by entering a password or attaching a key card.

At the same time, not only biometric scanning technologies are being improved, but also tools for protecting them from illegitimate exploitation.

Biometrics and information security​

The problem of biometrics from the point of view of information security is that biometric data is poorly protected, since a person cannot walk everywhere with gloves, hide his face, or communicate in everyday life with a modified voice.

This "openness" of passwords creates a false sense that they are easy to steal. In practice, this is not entirely true, and making template copies is a time-consuming and rather lengthy process.

Vladislav Aleshin
Expert of the group of biometric technologies and authentication systems of the Center for Applied security systems of Jet Infosystems

To make a dummy, an attacker must perform two actions: get a biometric sample of a potential victim, such as a face image or fingerprint, and make the dummy itself. Accordingly, the harder it is to get a sample, the harder it will be to fake it. Therefore, the most protected characteristics will be those that are hidden or difficult to obtain. Among the solutions available on the market, the most difficult to obtain a biometric sample are solutions for recognition by the iris of the eye and by the pattern of the veins of the palms. Both technologies are contactless, they are safe and harmless to humans. The technologies are based on obtaining biometric information using infrared radiation.

It's also worth mentioning that biometric systems have a feature called Liveness Detection. Its task is to verify that a live user "communicates" with the biometric system, and not, for example, his photo. When an attacker tries to trick a biometric system with a fake, they compete with the Liveness Detection mechanisms, and not directly with the recognition mechanisms themselves. This significantly reduces the likelihood of hacking the biometric system using a fake.

At the moment, the level of protection of biometric systems is largely determined by the type of biometrics. The more difficult it is to get it and make a template-the higher the level. There are also separate information security tools that allow you to deal with machine copying and attempts to pass off a virtual image as a real image.

In the field of protecting databases of biometric materials, there are no special specifics that would radically distinguish this process from protecting standard passwords. The security tools used there are identical.