Researchers have managed to bypass facial recognition systems using 3D models created using pictures of the target user found on social media. An increasing number of applications use face authentication technologies and other biometric data for verification, but are these technologies secure enough for enterprise use? How can organizations prevent spoofing attacks like this?
People typically think of passwords as synonymous with enterprise authentication, but many enterprises use more than just passwords. The use of biometrics, like in facial recognition systems, is a well-known form of second factor authentication.
Biometrics have typically been used in processes with higher security requirements due to the perception that they are more secure. However, biometrics have failure modes in which unauthorized users can access the system and authorized users can be locked out, in addition to facing other implementation errors. The use of biometrics also introduces privacy risks because, while an individual can change a password or get a new second factor, it can be difficult or even impossible to change a user's biometric data. During implementation of these systems, enterprises must ensure the connection between the biometric sensor and the authentication system is secure.
The use of biometrics can be much more secure and convenient than passwords if it is securely designed and implemented. Attacks on biometrics, like the "gummy fingers" hack and attackers using facial models, expose weaknesses in biometric systems.
Researchers studying facial authentication at the University of North Carolina at Chapel Hill achieved authentication using a virtual reality (VR) model of an authorized user's face created based on data from still pictures. This built on the gummy finger fingerprint reader attacks, after which manufacturers needed to add liveliness detection and other checks to ensure their sensors couldn't be bypassed using these methods. All facial recognition systems include some degree of liveliness detection, so a static model couldn't be used for unauthorized access. However, the researchers could bypass most facial recognition systems with the VR model.
The researchers made recommendations to manufacturers of facial recognition systems, such as adding changing lighting projection, pulse detection or detection of infrared light. Enterprises using facial recognition systems for authentication in high-risk environments may want to have other security controls in place, like surveillance cameras to record the authentication process. The video can be reviewed to determine if and how an attacker bypassed authentication.
Any enterprise implementing a new authentication technology must perform a security assessment of the system to determine if any of the common security problems are present or utilize third-party testing or reviews to ensure the system is sufficiently secure. Enterprises may also want to evaluate if and how updates can be deployed to the system, to ensure the system remains secure.
Find out how attackers can abuse the fingerprint records that were exposed in the Office of Personnel Management breach
Learn how mobile biometrics can boost enterprise security
Read about compliance standards that apply to biometric authentication systems
Dig Deeper on Biometric technology
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading