BACKGROUND IMAGE: kentoh/Fotolia

E-Handbook:

Biometrics and beyond: Online authentication techniques get personal

Q
Problem solve Get help with specific problems with your technologies, process and projects.

How do facial recognition systems get bypassed by attackers?

Researchers found that facial recognition systems can be bypassed with 3D models. Expert Nick Lewis explains how these spoofing attacks work and what can be done to prevent them.

Researchers have managed to bypass facial recognition systems using 3D models created using pictures of the target...

user found on social media. An increasing number of applications use face authentication technologies and other biometric data for verification, but are these technologies secure enough for enterprise use? How can organizations prevent spoofing attacks like this?

People typically think of passwords as synonymous with enterprise authentication, but many enterprises use more than just passwords. The use of biometrics, like in facial recognition systems, is a well-known form of second factor authentication.

Biometrics have typically been used in processes with higher security requirements due to the perception that they are more secure. However, biometrics have failure modes in which unauthorized users can access the system and authorized users can be locked out, in addition to facing other implementation errors. The use of biometrics also introduces privacy risks because, while an individual can change a password or get a new second factor, it can be difficult or even impossible to change a user's biometric data. During implementation of these systems, enterprises must ensure the connection between the biometric sensor and the authentication system is secure.

The use of biometrics can be much more secure and convenient than passwords if it is securely designed and implemented. Attacks on biometrics, like the "gummy fingers" hack and attackers using facial models, expose weaknesses in biometric systems.

Researchers studying facial authentication at the University of North Carolina at Chapel Hill achieved authentication using a virtual reality (VR) model of an authorized user's face created based on data from still pictures. This built on the gummy finger fingerprint reader attacks, after which manufacturers needed to add liveliness detection and other checks to ensure their sensors couldn't be bypassed using these methods. All facial recognition systems include some degree of liveliness detection, so a static model couldn't be used for unauthorized access. However, the researchers could bypass most facial recognition systems with the VR model.

The researchers made recommendations to manufacturers of facial recognition systems, such as adding changing lighting projection, pulse detection or detection of infrared light. Enterprises using facial recognition systems for authentication in high-risk environments may want to have other security controls in place, like surveillance cameras to record the authentication process. The video can be reviewed to determine if and how an attacker bypassed authentication.

Any enterprise implementing a new authentication technology must perform a security assessment of the system to determine if any of the common security problems are present or utilize third-party testing or reviews to ensure the system is sufficiently secure. Enterprises may also want to evaluate if and how updates can be deployed to the system, to ensure the system remains secure. 

Next Steps

Find out how attackers can abuse the fingerprint records that were exposed in the Office of Personnel Management breach

Learn how mobile biometrics can boost enterprise security

Read about compliance standards that apply to biometric authentication systems

This was last published in January 2017

Dig Deeper on Biometric technology

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise plan on using biometric systems like facial authentication?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close