chris - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can simple photography beat biometric systems?

Simple photography cracking biometric systems highlights the need for two-factor authentication in enterprises according to expert Randall Gamby.

I heard about a security researcher who claimed to be able to beat fingerprint and retinal scan biometric systems using simple photography. While the accuracy is not yet confirmed, these claims are unsettling. Should my enterprise -- which implements fingerprint security measures -- be concerned? To what extent does this cast doubt on the integrity of biometric authentication systems?

As a form of additional two-factor authentication, biometric checks can be used successfully for identity assurance. However, the security of these mechanisms as the sole source of identity proofing is questionable. As with any credential, when used without additional checks, they can be subject to spoofing. This isn't the first instance of commercially-available biometric products being overcome by simple photography, though most likely governmental DoD high-security devices are more difficult to beat.

The key to ensuring security is to fully implement two-factor authentication processes, using something you have and something you know. Biometric appliances answer the first part of the equation but they should be used in conjunction with a pin, password, pass phrase or some other form of "something you know" type of authentication to be fully effective.

What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)

Next Steps

Discover the pros and cons of multiple biometric authentication devices and techniques

This was last published in June 2015

Dig Deeper on Biometric technology

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Yes, two factor authentication works, though it sometimes can seem/be like a tedious, time-sucking PITA. But, hey, it works, right....Or it will until someone figures out how to clone your phone and spoof the system that way.

Let's face it. Almost nothing is impenetrable, given enough ingenuity, time and effort.

Surely recognition software has grown advanced enough - or SHOULD have - to tell the difference between my iris and a picture of my iris. Even a high-res picture. Maybe I'm missing something, but instituting that level of functionality doesn't seem like brain surgery or rocket science or whatever metaphor you prefer.
If the right type of say thumb-print scanner is used. a photograph will NOT work.
Right now medical technology offers devices that can detect not only body temp.
but also blood-pressure and pulse rate
through the skin. They are used at the VA
therefore I assume that this technology has been around for sometime now.
These other measures can be easily incorporated into a thumb-scanner, and indeed some of the more expensive scanner do (around 100 - 200 dollars)
Incorporating such a device into a
smart-phone or other mobile device is a bit
challenging, but it can be done.
Once biometrics "takes-off" as part of the
two factor authentication process, the prices for these devices will drop.
Two factor authentication is a little more involved but the flip side is worth it to me. AS for devices that can detect body temp and blood pressure? I don't think that is reliable. My BP varies fro 110/80 to as much as 130/95. If I've just worked out or I am under a lot of stress, does that mean with this two factor method I'm locked out ? I do not know if we can ever get to 100% fool proof.