Biometrics Recognition is Unreliable!
Biometrics is often projected as a security token.
The mainstream technology news media project biometrics as a preferred token for personal identity verification and authentication.
The news media highlight the huge market for biometrics security.
They make noise about how much billion-dollar investment biometrics received.
Then, the news media claim that "biometrics is a reliable security technique."
As if the amount of market investment makes a security technique superior!
What immature analyses the mainstream technology news media make!
I will make it clear in the following section with relevant research references.
Image Source: I have created a GIF animation using my title texts and a photo by Gerd Altmann on Pixabay.
Biometrics is an unreliable human recognition technique.
There are more disadvantages than advantages of biometrics recognition.
The promoters of biometrics recognition technology are deliberately hiding the security-lowering features of biometrics technology.
To secure huge investments, biometrics startups are deliberately making a rush in forcing biometrics into the market.
In reality, the utility of biometrics recognition technology is very much unreliable due to the following main reasons, described in the subsequent sections.
Biometrics recognition is probabilistic, but not deterministic.
As a technology researcher, I spent sufficient time in biometrics research since 2003. I developed a technique for 3D human face recognition in 2006. I applied the technique for multimodal 3D facial plus fingerprint recognition.
Biometrics is purely a probabilistic recognition technique that how much matching is possible. The tolerance of recognition is sometimes 96 to 97 percent but is never a hundred percent.
Some biometrics modality, such as face recognition is heavily dependent on skin color and illumination. 3D face ID matching can be easily spoofed using 3D face masks. Fingerprint and iris images are regularly spoofed with high-resolution images.
Biometrics recognition has got a False Match Rate (FMR).
The higher False Match Rate (FMR) of biometrics does not provide us with the required confidence in adopting it for user authentication on utility and financial services.
It is to be noted that FMR does not account for spoofing attacks. Spoofing is a different technology for criminals.
Even the police may sometimes create a biometrics spoof to unlock the mobile of a dead person. In fact, it happened in the US in an investigation of a murder case!
Biometrics spoofing technology is maturing fast.
As cybersecurity technology is progressing in the world, biometrics spoofing technology has also been advancing at an alarmingly fast rate.
It doesn't take much money and complex technology to create a spoof for a fingerprint. One can make fingerprint spoofs using cheap and easily available polymer sheets used for overhead slide projectors! 3D thumbprints may also be made on rubber thumbs
A group of students in the University Department of Chemical Technology (UDCT), Mumbai, India regularly cheated the university fingerprint attendance system.
It happened between 2018 and 2019. The professors found only less than the half population of the students were physically present inside the classroom, but the attendance data recorded was surprisingly above 90 percent presence!
Biometrics data can be easily copied in public places or may be purchased in the dark market.
Biometrics data are easily available in public places. Capturing 2D and 3D face scans is possible in public under visible as well as infrared illumination.
The fingerprint impression may be captured from thumbprints on glasses of water/drink in parties/restaurants.
High-resolution face images may be utilized to extract decent-resolution iris patterns. Voice and speech may be easily recorded from telephonic conversations, and expert voice mimicry artists can do the spoofing job for voice recognition.
For example, the entire biometrics database of the Indian digital identity system called Aadhaar is available in the dark market with a payment of a mere INR500.
Biometrics data once compromised, hacked, and stolen, are lost forever in the hands of cyber criminals!
The most worrying part of the biometrics story is severe and irrecoverable!
Once a biometrics database is compromised, hacked, and stolen, the entire dataset is lost forever. But, those biometrics data remain in the hands of cybercriminals for good.
For example, the Aadhaar biometrics data are in the hands of hackers and criminals. They will continue to try to do as much harm as they can.
The government body is hiding the news from the common citizens. But they are in no position to do anything to restore the security of the citizens whose biometrics data were stolen.
The same is true for all biometrics databases of global citizens. A large portion of the biometrics databases might already be in the hands of cybercriminals.
Biometrics can not avoid the so-called "credential stuffing" or "reusing the same usernames and passwords."
Cybersecurity experts would always advise NOT to "reuse passwords and usernames" on different platforms.
Unfortunately, if you adopt biometrics as an authentication factor, you willingly agree to reuse the same biometrics as your default passwords for authenticating your online accounts.
This problem is cordially known as the "credential stuffing" issue in cybersecurity literature.
You may now understand why using biometrics compels you to reuse the same biometrics as your passwords, and you commit "credential stuffing" which is a security vulnerable practice in cybersecurity.
Bringing it altogether
Biometrics is purely probabilistic, and not deterministic, such as text passwords.
Text passwords are deterministic, if you enter a wrong passcode, you will NEVER be authenticated, and you will be REJECTED. In biometrics, one person's biometrics may incorrectly authenticate another person's login and vice versa.
Moreover, biometrics is easily spoofable, and hence stealable/hackable.
Biometrics data once hacked/stolen/compromised, are lost in the hands of criminals for good. One cannot reset biometrics like text passwords.
There are so many other flaws, such as a high False Match Rate, and "credential stuffing," i.e., reusing the same passwords and usernames.
As a result, it would be correct to infer that biometrics recognition technology is an unreliable security method.
Biometrics is a self-problem creator, even without the presence of a hacker!
Postscript
The main problem is that biometrics recognition technology is probabilistic, and NOT deterministic. So, biometrics can never yield 100 percent recognition and have a False Match Rate.
That means biometrics can authenticate an incorrect person, and reject an authentic person! Biometrics is a self-problem creator, and as a result, is unreliable for authenticating the correct human being, even without the presence of a hacker!
And, not to forget, biometrics has a lot of data privacy issues. However, it is not a security issue. But, privacy is a fundamental right.
Accessing one's biometrics data is equivalent to invading the personal and private data of a person. All humans may not agree to provide their biometrics data to the governing and servicing companies.
It overrules fundamental freedom and human rights.
Originally published on my LinkedIn newsletter.
[Sponsor information is as below]
Image Source TheGuy – Follow him on Noise and Hive for more insights.
Cheers!
Unity (Debesh Choudhury)
Text Copyright © 2022 Debesh Choudhury — All Rights Reserved
Join me at
Odysee, LinkedIn, Twitter, noise.cash, read.cash, publish0x, and Facebook
Lead Image: I have created a GIF image using my title texts and a photo by Gerd Altmann on Pixabay.
All other images are either drawn/created by myself or credited to the respective artists/sources.
Disclaimer: All texts are mine and original. Any similarity and resemblance to any other content are purely accidental. The article is not advice for life, career, business, or investment. Do your research before adopting any options.
Unite and Empower Humanity.
#biometrics #security #cybersecurity #privacy
Sep 22, 2022
Only shows that there will always be those who will cheat the system. These security measures are not safe at all.