Biometrics and beyond: Online authentication techniques get personal

hfng - Fotolia

How do facial recognition systems get bypassed by attackers?

Researchers found that facial recognition systems can be bypassed with 3D models. Expert Nick Lewis explains how these spoofing attacks work and what can be done to prevent them.

Researchers have managed to bypass facial recognition systems using 3D models created using pictures of the target user found on social media. An increasing number of applications use face authentication technologies and other biometric data for verification, but are these technologies secure enough for enterprise use? How can organizations prevent spoofing attacks like this?

People typically think of passwords as synonymous with enterprise authentication, but many enterprises use more than just passwords. The use of biometrics, like in facial recognition systems, is a well-known form of second factor authentication.

Biometrics have typically been used in processes with higher security requirements due to the perception that they are more secure. However, biometrics have failure modes in which unauthorized users can access the system and authorized users can be locked out, in addition to facing other implementation errors. The use of biometrics also introduces privacy risks because, while an individual can change a password or get a new second factor, it can be difficult or even impossible to change a user's biometric data. During implementation of these systems, enterprises must ensure the connection between the biometric sensor and the authentication system is secure.

The use of biometrics can be much more secure and convenient than passwords if it is securely designed and implemented. Attacks on biometrics, like the "gummy fingers" hack and attackers using facial models, expose weaknesses in biometric systems.

Researchers studying facial authentication at the University of North Carolina at Chapel Hill achieved authentication using a virtual reality (VR) model of an authorized user's face created based on data from still pictures. This built on the gummy finger fingerprint reader attacks, after which manufacturers needed to add liveliness detection and other checks to ensure their sensors couldn't be bypassed using these methods. All facial recognition systems include some degree of liveliness detection, so a static model couldn't be used for unauthorized access. However, the researchers could bypass most facial recognition systems with the VR model.

The researchers made recommendations to manufacturers of facial recognition systems, such as adding changing lighting projection, pulse detection or detection of infrared light. Enterprises using facial recognition systems for authentication in high-risk environments may want to have other security controls in place, like surveillance cameras to record the authentication process. The video can be reviewed to determine if and how an attacker bypassed authentication.

Any enterprise implementing a new authentication technology must perform a security assessment of the system to determine if any of the common security problems are present or utilize third-party testing or reviews to ensure the system is sufficiently secure. Enterprises may also want to evaluate if and how updates can be deployed to the system, to ensure the system remains secure. 

Next Steps

Find out how attackers can abuse the fingerprint records that were exposed in the Office of Personnel Management breach

Learn how mobile biometrics can boost enterprise security

Read about compliance standards that apply to biometric authentication systems

This was last published in January 2017

Dig Deeper on Identity and access management