Biometrics is Inherently Unreliable

By Debesh Choudhury | TechFuture | 20 Jun 2024


While using biometrics recognition can be convenient, but biometrics recognition is inherently probabilistic and not deterministic. The probabilistic trait of biometrics recognition makes it unreliable. Besides, biometrics has many other challenges and vulnerabilities, such as spoofing, 'credential stuffing,' etc. Hence, biometrics can lower security.

13e7dd8531228b72d3bbbc1709947ea873dcb6b306d6aa4f65519025b9f23c85.jpg


 

What is biometrics?

  • Biometrics involves the utilization of distinct physiological or behavioral traits of humans to authenticate or identify individuals.

However, biometrics authentication technology is inherently probabilistic, and unreliable, and hence biometrics lowers security.


 

Biometrics has been a subject of my research for almost two decades.

I started carrying out three-dimensional (3D) object recognition in the winter of 2000. Then I was on a postdoctoral research stint at the University of Electro-Communications, Tokyo.

  • In 2001, I developed a technique for 3D object recognition using pattern projection and Fourier-fringe analysis.

  • I published some research papers in a peer-reviewed journal with my faculty advisor, Prof. Mitsuo Takeda. The research results were also presented at international conferences.

  • Later, I applied our 3D object recognition technique to 3D human face recognition.

  • From 2005 to 2018, I devoted much effort to biometrics recognition technology, especially 3D facial and multimodal biometrics research. I developed techniques for privacy-protected 3D face and multimodal face-plus-fingerprint biometrics.

Apple's 3D face ID is a similar technique that came much later in 2016 as a new feature in their new smartphone iPhone X.


 

Biometrics recognition technology is inherently probabilistic and, hence, unreliable.

I must admit that biometrics authentication is unreliable because biometrics recognition is inherently probabilistic.

  • The recognition process of all biometrics relies on the probabilistic judgment of human beings' variable physical and behavioral features.

  • Human physiological features continually change with growing age. In accidents, humans may also lose some physical body parts or behavioral characteristics due to diseases.

  • Some biometric recognition varies with illumination and skin color (e.g., a face). Thus, biometrics' probabilistic recognition processes may often yield unreliable results.


 

Biometrics is not fit to be used as the default authentication factor or password.

The mainstream media propagate biometrics technology as a more secure authentication factor. On the contrary, biomerics can lower security.

The promoters of biometrics are deliberately taking their eyes away from the security-lowering features of biometrics technology and making a rush to force biometrics into the market.

The utility of biometrics is limited due to the following principal reasons.

In the earlier section, we mentioned that an authentication system requires the recognition result to authenticate the right person deterministically.

The biometric False Match Rate (FMR) and False Rejection Rate (FRR) do not give us confidence in adopting them for subscriber authentication. Moreover, FMR and FRR do not account for spoofing attacks.

Spoofing biometrics has become a common practice for criminals. Fingerprint, face, and iris scans are regularly spoofed.

  • People can't keep biometrics traits secret.

Criminals can copy biometric traits online or by taking a picture of citizens with a camera phone (e.g., facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high-resolution cameras (e.g., for iris patterns).

Once the biometrics data are hacked/stolen, those are lost forever. One can't reset biometrics like passwords. The hacked biometric data remains in the hands of the hackers forever. This problem may be called the "Biometric Data Breach Conundrum."

Liveness detection is a technique that brings smiles to the faces of the promoters of biometrics as a password. Can liveness detection permanently defeat the biometrics spoofing attacks?

Biometrics liveness detection, such as face or fingerprints, is associated with live changes from living humans' biometric data. The detected liveness data are utilized to validate the actual person and reject the spoof.

Biometrics spoofing technology is progressing at an alarming rate. Many security research groups can bypass liveness sensors. If people use biometrics as the only (or default) authenticating measure, criminals might try to misuse biometrics liveness detection.

The credential attacks are associated with reused passwords and usernames. The hackers can use data collected from previous hacks of accounts worldwide. Since people use the same biometrics for all online authentications, there is no way to avoid 'credential stuffing' in biometrics.


 

Biometrics is not a fallacy; it is real. However, biometrics is inherently unreliable and can compromise security.

  • Biometric features are somewhat unique physiological and behavioral signatures of humans. Hence, biometrics is not a fallacy.

  • As a long-time biometrics researcher, I was deeply interested in applying biometrics recognition techniques for human authentication and identification.

But, biometrics recognition is inherently probabilistic and hence unreliable.

Moreover, there are other problems with biometrics, such as false match rate and false rejection rate, biometrics spoofs, biometrics data breach conundrum, credential stuffing, etc.

  • As a result, biometrics can compromise security.

  • Due to several drawbacks, biometrics technology doesn't give us the confidence to adopt it for authentication tasks.

  • The adopters of biometrics-only authentication worldwide may fall into the catastrophic black hole of no return.

People can use biometrics in very limited applications, such as access entry under the supervision of security staff or digital forensics to help the police department get additional information about criminals.


 

<> Originally published in my LinkedIn Newsletter.

 

------------

About me

I am a researcher and contribute to the overlapping areas of STEAM (Science, Technology, Engineering, Arts, and Mathematics). I am an active user and promoter of GNU/Linux, free and open-source software. I develop cybersecurity and information security solutions, specifically graphical authentication security.


 

Cheers!

Debesh Choudhury

Text Copyright © 2024 Debesh Choudhury — All Rights Reserved

Join me at

YouTube, Twitch, CashRain, Odysee, LinkedIn, Twitter, Publish0x, ReadCash, and Facebook.

Earn passive income by sharing unused Internet bandwidth with Grass, Honeygain and Peer2Profit.

Cover Image: I created a GIF using title texts and an image by Gerd Altmann on Pixabay.

All other images are either drawn/created/screenshots by myself or credited to the respective artists/sources.

Disclaimer: All texts are mine and original. Any similarity and resemblance to any other content are purely accidental. The article is not advice for life, career, business, or investment. Please do your research before you adopt any options.

Unite and Empower Humanity.

biometrics authentication passwords cybersecurity dataprivacy datasecurity passwordsecurity technology

Friday, June 21, 2024

How do you rate this article?

34


Debesh Choudhury
Debesh Choudhury

I am a solution architect for Digital Identity, Data Privacy, Password & Cybersecurity, Distributed Ledgers, IoT, a researcher & academician of Electronics, Computer Eng. & IT, an Entrepreneur & Tech Blogger.


TechFuture
TechFuture

TechFuture will publish short articles on future technologies that will make the world a better place to live. It will include digital identity, data privacy, passwords & cybersecurity, cryptocurrencies, and many more.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.