There really isn’t a biometric that is infallibly secure?
A recent news story says that Apple is testing a new feature for the web version of iCloud that allows users to use Face ID or Touch ID to log in to their accounts when their test device accesses the beta.icloud URL. This is a new feature that previously required a password to sign in to icloud using the web, whether it was an Apple device or not. Now users can sign in to the web version of iCloud using Face ID or Touch ID on devices running iOS, iPadOS or macOS beta. when these devices access iCloud in the Safari browser, users will receive a pop-up window asking if they want to sign in using biometrics.
This led to a number of readers discussing biometric security. This is because they keep a lot of photos and information on iCloud and feel that, at some point, biometric cracking is often easier than password cracking. Several readers dug deeper into the biometric security discussion and opened their minds to talk about more secure biometric authentication.
One reader said that in the case of our commonly used cell phones, he would still very much prefer to go back to traditional pattern unlocking than biometrics. Why is that? Because, in the past, his phone pattern unlock, set very complicated, his girlfriend learned a few times, can not remember, so he did not bother to toss his phone.
Later, he changed to a domestic cell phone, added the function of facial recognition, fingerprint recognition, but the pattern password function was removed. Only a six-digit password combined with biometrics can be used to unlock the phone. The current situation is that he was forced to inform his girlfriend of the six-digit unlock code and was also forced to set her fingerprint in the phone to unlock it. In this way, when he sleeps or takes a shower, his girlfriend can check his phone at will, which makes him feel very insecure.
So he believes that biometrics is a typical sign of insecurity between couples, precisely. So his request looks a bit retro – a strong desire to come up with a high-end phone that eschews biometric features. When you think about it, that’s true. And regardless of the security of various biometrics under hacking attacks, it’s also true that between men and women alone, it provides unparalleled security to unlock each other’s phones.
And there is also a headache, is in the case of not set up biometric payment, Internet banking APP transfer, etc. need to verify the cell phone SMS. However, once the fingerprint payment is set up, it is often only necessary to verify the fingerprint of one finger in the recorded fingerprint of the phone, and all fingerprints can be used for future bank card transfers, or various payment transactions.
Therefore, if a man or woman friend has a different intention, it is easy to steal the money of the other party, which is seen in many news. Some people do not fall in love with the purpose of true love and marriage and children, but specifically for the purpose of swindling money and sex.
The security of biometric identification, as above, can only be described as security in a specific relationship. In more complex application scenarios and facing more extreme invasion challenges, what will be the security of each biometric identification?
1,Face recognition and fingerprint recognition
Face recognition and fingerprint recognition are the two most widely used biometrics and have long been commonplace in cell phones, access control, time and attendance, stations and other devices and locations. 1927, Robert Heindl of Germany concluded in his book “Fingerprint Identification” that Jia Gongyan of the Tang Dynasty in China was the first scholar in the world to propose the use of fingerprints to identify people.
In most cases, face and fingerprint identification is secure. However, in extreme cases, they can be cracked, and the methods of cracking them are commonplace. For example, when we verify a fingerprint, the unique patterns that make up the physical pattern of the fingerprint are converted into data by the sensor, and this data can be stored, shared, and even modified, setting the stage for miscreants to steal it.
Two years ago, researchers at the National Institute of Informatics in Japan claimed that they were able to successfully extract fingerprints from personal photos using only a mid-range digital love camera, and later create copies of fingerprints easily using a 3D printer.
Back in 2016, police in Michigan, USA, used fingerprints from the police’s own repository instead of photo-extracted fingerprints in order to verify the accuracy of biometrics, and by working with a local university, created a replica of a murder victim’s fingerprints, which eventually succeeded in unlocking the victim’s phone and obtaining evidence to help solve the case.
As for facial recognition, it is more likely to be leaked because we cannot go out all day with our faces covered, and various cameras are everywhere in the streets and alleys, and cell phone photos are becoming clearer and clearer, so facial biometric features can be acquired at any time.
In the past, a photo can be used to break the primary facial recognition system, now so weak system has long been eliminated, but 3D recognition and 3D printing technology is advancing by leaps and bounds.
If you take a photo of you with a 3D shooting tool, and then print it off with a 3D printer, after a series of precision processing, who can say whether it can fool some facial recognition systems. As for the various cracking techniques shown in the laboratory or geek conference, we Ann in the previous also have a number of articles dedicated to the cracking process, here will not repeat.
However, it is necessary to mention that face and fingerprint recognition technology is also changing day by day, many of the previous methods can be cracked, now has failed. Security is like this, the devil is fighting, you and I, we all rise to the top, only to see who in a particular time technology high.
2, iris recognition
Next, let’s talk about iris recognition. The human iris is formed during the fetal development stage and will remain unchanged throughout the life course, thus determining the uniqueness of identification. This is the first time that we have ever seen a person with an iris that has been used for the purpose of a computer. After all, there is no way to replicate an identical eyeball, right?
In fact, the reality is very different from the popular imagination, and the way to obtain iris is very simple, as long as the iris information is successfully obtained within ten meters of a person, using a DSLR telephoto lens combined with a focused beam shot that captures infrared capabilities.
In 2018, Baidu Security Lab (X-lab) researchers have successfully cracked iris recognition and given a method to replicate iris. First of all, the process of iris recognition verification is as follows: in an iris recognition device, for example, the eye is first illuminated by infrared light from the LEDs on the device, then the iris image is captured by an infrared camera, followed by positioning and pre-processing using algorithms. The final step, like fingerprint recognition, is normalization, key point extraction, and comparison with database information.
Although the infrared light is not visible to the human eye, it can be easily detected by electronic devices. According to industry sources, cameras can actually capture infrared, but many of them are shielded from this function because of the interference effect of infrared light on photo effects. The researcher got its infrared light recognition image after disassembling and analyzing a certain iris recognition device.
Next, the process of forging a replica of the iris that the sensor could recognize began. It was found that laser black and white printer toner absorbs near infrared better. Following this method, he successfully unlocked a phone with iris recognition. This result directly shuts down the expert argument that “since iris is a biometric feature, it cannot be unlocked on a photo or video”.
Moreover, even if there is hardware that adds “live detection” to the iris recognition process, such as micro-movement of the eyes and pupil scaling, it can be easily bypassed by simply shaking the printed iris or pulling it in and out smoothly to pass the authentication. According to media reports, cell phone pixels are now getting higher and higher definition, and many users like to post photos on social media. Hackers can get the user’s iris information by taking a selfie, and then the same can be done to fool the phone’s iris recognition system.