BSI: Biometrics for authentication – it's complicated

Many security experts recommend that consumers use two-factor authentication (2FA) instead of the usual combination of username and password for secure login to online services. Biometrics is increasingly being used as the second factor. The technical requirements for this, for example in smartphones and laptops, are now widespread. Touching a sensor with your finger or holding your face up to a camera seems quick and easy. But is this technology generally secure? The German Federal Office for Information Security (BSI) investigated this question from the perspective of digital consumer protection and published a white paper on Friday.

Particularly high requirements

A key finding of the paper: biometrics for 2FA can increase user-friendliness. "Unlike passwords, a face or finger cannot normally be forgotten or lost," it says. In addition, changes "due to ageing, injury or illness" could be compensated for by re-enrolling the biometric features. At the same time, however, once biometrics have been compromised, it is no longer possible to restore the relevant identifiers. Therefore, particularly high demands must be placed on the IT security of the procedures.

In the study, the BSI looks at fingerprint and facial recognition to replace the knowledge factor (PIN or password) with biometrics. Other methods are hardly widespread and iris recognition will probably only be "reintroduced by well-known device providers in the future". The authors write that a general assessment of the security of biometric procedures is "not possible due to the variety of products and application scenarios as well as the wide range of implementations. The individual case must be considered.

For example, recognition accuracy is relevant when weighing up security and usability. A higher rate could mean greater security, but would impair usability due to potentially increased false rejections. Conversely, lower accuracy leads to better usability in everyday life, but at the same time to lower security of the system.

Hackers outwit biometric systems again and again

In general, the BSI advises that the finger or face data required for the biometric process and for matching should always be saved as a sample or template so that "the original image cannot be accessed". It is also advisable to store the template in a secure memory and to process the biometric information in an encapsulated area. Forgery detection is also "an important component of secure biometric procedures. The technology used should therefore be able to prevent access to services through forgery or even attempted attacks – for example by simply holding up a photo.

In Germany, the Chaos Computer Club (CCC) caused a stir in 2008 when it published a fingerprint of former Federal Minister of the Interior Wolfgang Schäuble in the club magazine "Datenschleuder". At the time, a glass from which the CDU politician had drunk had found its way to the hackers. In 2014, the CCC showed that direct contact with physical objects is no longer necessary to take biometric features and then create dummies. It is sufficient to take a photo from a distance of a few meters.

The BSI therefore also recommends shortening the attack window to a certain time interval or a maximum number of attempts. Measures such as falling back to another factor (knowledge or possession) and offering the use of different characteristics should be taken.

(vbr)