Biometric Security
Has always been an oxymoron.
Cyber attacks using AI-generated deepfakes to bypass facial biometrics security will lead a third of organizations to doubt the adequacy of identity verification and authentication tools as standalone protections. Or so says consultancy and market watcher Gartner, as deepfakes dominate the news since sexually explicit AI- …
I think you are missing the point. You can change a password if you need to. You cannot change your biometrics quite so easily.
Biometrics is primarily used so governments can match faces to data. Hence the 'need' to send video to HMG to get your Covid pass app working.
Yes. That's the rekeying problem with biometrics.
Another is non-delegation: you can't give a copy of your face to someone else, so everyone who authenticates with biometrics is creating another instance of the bus problem. Personally, when I perish,1 I'd like my heirs to be able to get into things like the email account I (reluctantly) use for business purposes, and my phone, and so on. In fact, I might well want to delegate access just for the sake of convenience.
Then there's the fairly miserable history of biometric-sensor compromises. Sure, they keep getting better. So do attacks.
And there's the compulsion risk: Being forced by criminals to supply biometric access is often more dangerous than being forced to supply, say, a password, because you don't have to be physically present for the latter (and, for that matter, neither do the criminals). On the other side of the fence, in the US, police can compel you to use biometric identification to unlock a personal device without a warrant, but they can't compel a password unless they have a warrant.
Biometrics are terrible authenticators. Always have been, always will be. Their one benefit is that they have low cost to users, so they can be used to get lazy or ill-informed users to improve security slightly.
1Wrestling a supervillain over the rim of an active volcano, presumably.
The 3D sensors like Face ID would be fooled by a 3D model, and given enough 2D images from various angles the right software could transform that into a "program" for a 3D printer to print a model of the person's face that would pass.
Sounds like Apple might need to upgrade Face ID in future phones so that it checks for "liveness" via stuff like seeing a pulse under the skin and require some evidence of movement of the eyes (maybe the involuntary movements everyone does would be enough) They probably don't need to worry about this today, but the clock is ticking.
In that game there's one altar, stone, bowl or what-not after another that unlock treasure, gate, thingamabob by giving blood. I squirm every time my character pulls out a honking big knife and goes **slice**.
But maybe that's what we need. We'll all be more anaemic than visitors to a vampire convention.
Icon is what happens when you bumble into a red dragon's den and roll a critical fail.
I've been trying to find these Taylor Swift deepfake hot hot hot images for days and all I get is pictures of some woman's head and a lot of words about how naughty these pictures are...
I can even find pictures of a Forida man in a mankini which is truly disturbing, but no TS fiddly bits.
The internet is disappointing.
Biometrics can only ever provide your "username" part of a credential - who you are CLAIMING to be.
They cannot, should not, probably never will, provide your "password" part of a credential - proving that you're that person.
Anyone who thinks otherwise shouldn't be in charge of computer security ANYWHERE in the world.
If I walk up to a face-scanner and it says "Hi Lee D, please authenticate" - that's absolutely fine. If it gets it wrong, no big deal.
If I walk up and it JUST LETS ME IN, that's terrible, awful security that should never be allowed.
The BBC are currently sending FoI Act requests to loads of schools about biometrics - they are obviously prepping for a big story on it.
And in some schools, you can see face-recognition, etc. being used for AUTHENTICATION for things like cashless catering, etc. which is just wrong. Even in an enclosed, secure, low-impact environment, it's just wrong to teach kids that the computer knows who you are 100% to the point it can charge your parents money for your lunch.
Also, every single time I've been sent on the same errand that almost every employer of mine has sent me on - to investigate biometrics - the answer is the same. Under the age of 11, forget it. The markers move far too fast at that age to be reliable, even for fingerprint, etc.
I've always refused to deploy biometrics for the same reason - it's a convenience function to stop you typing in your username at best. It's identification, NOT authentication. But Windows Hello, fingerprint buttons on laptops, etc. have other ideas, and so they are disabled. In favour of passwords, 2FA and actual authentication methods, not toys.
A biometric on it's own is still only one factor. A fancy factor maybe, a sci-fi factor possibly but still only one.
Possibly in the future facial recognition might be considered a bit like SMS tokens. That being better than nothing but not a proper factor since it's too easy to circumvent or has too broad an attack surface.
We'll be fitting actual physical key locks to doors again soon