back to article Rise of deepfake threats means biometric security measures won't be enough

Cyber attacks using AI-generated deepfakes to bypass facial biometrics security will lead a third of organizations to doubt the adequacy of identity verification and authentication tools as standalone protections. Or so says consultancy and market watcher Gartner, as deepfakes dominate the news since sexually explicit AI- …

  1. Anonymous Coward
    Anonymous Coward

    Biometric Security

    Has always been an oxymoron.

    1. Danny 14

      Re: Biometric Security

      It depends what biometric security you are using.

      Iris is quite secure if you are using a proper scanner and not a camera. webcam anything is not. Fingerprint scanners arent either but true palm readers are.

      1. Tron Silver badge

        Re: Biometric Security

        I think you are missing the point. You can change a password if you need to. You cannot change your biometrics quite so easily.

        Biometrics is primarily used so governments can match faces to data. Hence the 'need' to send video to HMG to get your Covid pass app working.

        1. Michael Wojcik Silver badge

          Re: Biometric Security

          Yes. That's the rekeying problem with biometrics.

          Another is non-delegation: you can't give a copy of your face to someone else, so everyone who authenticates with biometrics is creating another instance of the bus problem. Personally, when I perish,1 I'd like my heirs to be able to get into things like the email account I (reluctantly) use for business purposes, and my phone, and so on. In fact, I might well want to delegate access just for the sake of convenience.

          Then there's the fairly miserable history of biometric-sensor compromises. Sure, they keep getting better. So do attacks.

          And there's the compulsion risk: Being forced by criminals to supply biometric access is often more dangerous than being forced to supply, say, a password, because you don't have to be physically present for the latter (and, for that matter, neither do the criminals). On the other side of the fence, in the US, police can compel you to use biometric identification to unlock a personal device without a warrant, but they can't compel a password unless they have a warrant.

          Biometrics are terrible authenticators. Always have been, always will be. Their one benefit is that they have low cost to users, so they can be used to get lazy or ill-informed users to improve security slightly.

          1Wrestling a supervillain over the rim of an active volcano, presumably.

  2. Mishak Silver badge

    Biometrics

    Should be ok with a decent (3D, IR) sensor, but deepfake will trick the "show us your face on the camera" approach that the banks like to use*.

    * Natwest restrict how much I can send from my account as I refuse to enable it.

    1. DS999 Silver badge

      Re: Biometrics

      The 3D sensors like Face ID would be fooled by a 3D model, and given enough 2D images from various angles the right software could transform that into a "program" for a 3D printer to print a model of the person's face that would pass.

      Sounds like Apple might need to upgrade Face ID in future phones so that it checks for "liveness" via stuff like seeing a pulse under the skin and require some evidence of movement of the eyes (maybe the involuntary movements everyone does would be enough) They probably don't need to worry about this today, but the clock is ticking.

      1. DeathSquid

        Re: Biometrics

        Those are easy enough to fake.

        1. DS999 Silver badge

          Re: Biometrics

          So then you scan the iris instead. Sure it is POSSIBLE to come up with ways around everything that is done, but at some point it is not practical as an attack versus e.g. calling up Cellebrite and getting them to hack into the hardware for you.

          1. druck Silver badge

            Re: Biometrics

            All you need is a syringe and the recently acquired eyeball and tap the end to simulate a pulse, works for fingers too.

  3. CountCadaver Silver badge

    It's like those who push this stuff are completely technically illiterate or their approach to risk is they think it's all "that science fiction stuff" or "as I saw in <movie> facial recognition can tell if your alive and images don't work, computers are smarter than that" *facepalm*

  4. Michael Hoffmann Silver badge

    Baldur's Gate approach needed

    In that game there's one altar, stone, bowl or what-not after another that unlock treasure, gate, thingamabob by giving blood. I squirm every time my character pulls out a honking big knife and goes **slice**.

    But maybe that's what we need. We'll all be more anaemic than visitors to a vampire convention.

    Icon is what happens when you bumble into a red dragon's den and roll a critical fail.

    1. Androgynous Cupboard Silver badge

      Re: Baldur's Gate approach needed

      Or just ask the person video calling to reset their password to give you instructions on how to make a bomb. If it refuses, you’re talking to ChatGPT

    2. Danny 14

      Re: Baldur's Gate approach needed

      DNA locks would work except you can end up with a Gattaca situation to fool it.

  5. ldo

    “On The Internet, Nobody Knows You’re A Dog”

    Anybody remember that old Rich Tennant cartoon? He was practically my introduction to the concept of “geek humour”.

    Now with AI, we can take it further: “On The Internet, Nobody Knows You’re Not A Carbon-Based Lifeform”.

  6. xyz Silver badge

    Help!

    I've been trying to find these Taylor Swift deepfake hot hot hot images for days and all I get is pictures of some woman's head and a lot of words about how naughty these pictures are...

    I can even find pictures of a Forida man in a mankini which is truly disturbing, but no TS fiddly bits.

    The internet is disappointing.

    1. Michael Wojcik Silver badge

      Re: Help!

      The internet is disappointing.

      Motto!

      For pretty much our entire civilization, at this point.

  7. Lee D Silver badge

    Biometrics can only ever provide your "username" part of a credential - who you are CLAIMING to be.

    They cannot, should not, probably never will, provide your "password" part of a credential - proving that you're that person.

    Anyone who thinks otherwise shouldn't be in charge of computer security ANYWHERE in the world.

    If I walk up to a face-scanner and it says "Hi Lee D, please authenticate" - that's absolutely fine. If it gets it wrong, no big deal.

    If I walk up and it JUST LETS ME IN, that's terrible, awful security that should never be allowed.

    The BBC are currently sending FoI Act requests to loads of schools about biometrics - they are obviously prepping for a big story on it.

    And in some schools, you can see face-recognition, etc. being used for AUTHENTICATION for things like cashless catering, etc. which is just wrong. Even in an enclosed, secure, low-impact environment, it's just wrong to teach kids that the computer knows who you are 100% to the point it can charge your parents money for your lunch.

    Also, every single time I've been sent on the same errand that almost every employer of mine has sent me on - to investigate biometrics - the answer is the same. Under the age of 11, forget it. The markers move far too fast at that age to be reliable, even for fingerprint, etc.

    I've always refused to deploy biometrics for the same reason - it's a convenience function to stop you typing in your username at best. It's identification, NOT authentication. But Windows Hello, fingerprint buttons on laptops, etc. have other ideas, and so they are disabled. In favour of passwords, 2FA and actual authentication methods, not toys.

    1. 0laf Silver badge
      Terminator

      MFA

      A biometric on it's own is still only one factor. A fancy factor maybe, a sci-fi factor possibly but still only one.

      Possibly in the future facial recognition might be considered a bit like SMS tokens. That being better than nothing but not a proper factor since it's too easy to circumvent or has too broad an attack surface.

      We'll be fitting actual physical key locks to doors again soon

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like