New findings from New York University Tandon and Michigan State University on “synthetic biometrics” show how fake biometrics can potentially be used: DeepMasterPrints: Generating MasterPrints for Dictionary Attacks – here’s the Guardian story on this: Fake fingerprints can mimic real ones in biometric systems. In response, a cybersecurity expert with OneSpan offers perspective.
Sam Bakken, Senior Product Marketing Manager at OneSpan:
“This is impressive research that will contribute to continued improvement in the security of biometric authentication, but that doesn’t mean it’s time for financial institutions to give up on fingerprint recognition and authentication. The research was conducted in a laboratory environment with plenty of resources, and while that doesn’t invalidate the findings, the costs of executing such an attack are far from negligible and attackers probably don’t see a good return-on-investment at this time. In addition, no security system should rely solely on fingerprint authentication. Defense-in-depth with multiple safeguards can prevent such an attack. A layered approach might include taking into account additional contextual data (e.g., whether the authentication event is taking place on a compromised device or via an emulator, etc.) to score the risk associated with the transaction and if that risk is too high, ask the user to provide another authentication factor. Finally, 62 percent of U.S. consumers choose fingerprint as their first or second preference for logging into their banking accounts according to a recent survey from Javelin Strategy & Research. Adding stronger authentication along with other safeguards provides strong security for users and their banking institutions.”
Bimal Gandhi, Chief Executive Officer at Uniken:
“This news of potential synthetic biometrics is alarming and could eventually turn out to be a new permutation in credential stuffing, as hackers are able to access parts of fingerprints, reproduce them, then use them in large scale attacks. Institutions seeking to thwart the threat of these attacks need to move beyond relying on solely a biometric, and consider invisible multifactor authentication solutions that cannot be replicated by third parties, such as cryptographic key based authentication combined with device, environmental and behavioral technologies. By their very nature, they are easy to use, issued and leveraged invisibly to the user, defying credential stuffing and the threat of synthetic biometrics.”