Touted as a promising new solution to bolster digital security, biometric technology is rapidly growing and evolving as a reliable means of authentication that is already being widely used across various sectors. However, researchers have found that the technology may not be quite as secure as it seems.
At the Usenix security conference earlier this month, researchers from the University of North Carolina demonstrated a system that uses digital 3D facial models, based on photos taken from social networks such as Facebook, shown on a smartphone's screen to successfully beat facial recognition software.
Collecting publicly available photos of 20 volunteer subjects from image engine searches and social networks such as Facebook, LinkedIn and Google+, much like any online stalker would do, the researchers said they could find between three to 27 photos of each volunteer online. Although most of the participants were security researchers keen on protecting their privacy online, the researchers said they were able to dig up at least three photos for each subject.
"We could leverage online pictures of the [participants], which I think is kind of terrifying," study author True Price told Wired. "You can't always control your online presence or your online image."
The UNC researchers created 3D models of the subjects' faces, added facial animations and adjusted the eyes to look directly at the camera. If the photo didn't show the subject's whole face, they improvised by recreating the missing parts and adding in textures and shadows.
They then tested the virtual reality face models on five authentication systems that are readily available via consumer software vendors such as the iTunes Store and Google Play Store, including Mobius, KeyLemon, TrueKey, BioID and 1D. Researchers found that they could trick four out of five of these systems used to lock smartphones and safeguard sensitive data with success rates between 55% and 85%.
After taking indoor headshots of each subject and rendering them for virtual reality to test them against the five systems, the researchers found they were able to dupe all five systems in every case tested.
"Our work outlines several important lessons for both the present and the future state of security, particularly as it relates to face recognition systems," the researchers noted in an accompanying paper titled, 'Virtual U: Defeating face liveness detection by building virtual models from your public photos.'
"First, our exploitation of social media photos to perform facial reconstruction underscores the notion that online privacy of one's appearance is tantamount to online privacy of other personal information, such as age and location.
"The ability of an adversary to recover an individual's facial characteristics through online photos is an immediate and very serious threat, albeit one that clearly cannot be completely neutralised in the age of social media. Therefore, it is prudent that face recognition tools become increasingly robust against such threats in order to remain a viable security option in the future."
The researchers note that it is crucial for facial authentication systems to be able to reject synthetic faces with low-resolution textures, given the fast-paced developments being made in virtual reality and computer vision technologies that are quickly becoming more "commonplace, cheap and easy-to-use." They recommend that several additional features be added to bolster these systems' security including light projection patterns, detection of minor skin tone fluctuations related to pulse and the use of illuminated infrared sensors.
"VR visualisations are increasingly convincing, making it easier and easier to create realistic 3D environments that can be used to fool visual security systems," the study notes. "As such, it is our belief that authentication mechanisms of the future must aggressively anticipate and adapt to the rapid developments in the virtual and online realms."
Many institutions across the globe have taken to incorporate new biometric security solutions for authentication, including HSBC, Barclays and Citi that allow users to rely on unique data to confirm one's identity that is much more difficult for hackers and digital identity thieves to fake.
A recent Visa study surveying consumers across seven European countries, including the UK, found that more than 68% of customers are keen on using biometric technology for payments.