Biometric (and other) authentication CAN be spoofed…but it isn’t easy

A few days ago, Liam Tung of ZDNet wrote an article entitled “Windows 10 security: Here’s how researchers managed to fool Windows Hello.”

Those who read the title of the article may conclude that biometrics is a terrible authentication method because it can be spoofed.

Just a picture of candy. Nothing special. By Jebulon – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=27753729

Well, until they come to the third paragraph of the article.

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.

Of course, if the target is a really important target such as a world leader, it might be worth it to go to all of that effort to execute the attack.

However, the difficult attack would be much more difficult to execute if the authentication system required multiple biometrics, rather than just one.

And the attack would be even more difficult still if the authentication system employed multiple authentication factors, rather than the single “something you are” factor. If you have to spoof the fingerprint AND the face AND the driver’s license AND the five digit PIN AND the geolocation, and you don’t know in advance WHICH factors will be requested, it’s still possible to gain access, but it’s not easy.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s