Indeed, there have already been multiple reports of biometric spoofing. FireEye reported more than a year ago that fingerprint data could be stolen from Android devices made by Samsung, Huawei, and HTC because, “the fingerprint sensor on some devices is only guarded by the ‘system’ privilege instead of root, making it easier to target and quietly collect the fingerprint data of anyone who uses the sensor.”
The Japan Times reported earlier this month that a team at Japan’s National Institute of Informatics (NII) found that a good digital image of people simply flashing the peace sign could result in their fingerprint data being stolen.
Researchers have reported that a high-resolution image of a person’s eyes can allow an attacker to make a "contact lens" of the iris that would pass as the real thing for authentication.
And there have already been demonstrations that a manipulated recording of a person's voice can trick authentication systems.
Advocates of biometric authenticators don’t deny any of this, but say one key to their successful use is for the data from them to stay on user devices only, as is the case with Apple’s Touch ID. As McDowell notes, one of the many problems with passwords is that they are “shared secrets” – they exist not only on users’ devices, but also have to be given to a website’s server, which then matches them with what is stored in its database. When such a server gets compromised, millions of passwords get stolen at the same time, through no fault of the user.
According to McDowell, the risk of biometric spoofing is “infinitesimal” compared to that of passwords.
Since the biometric credential data never leaves the device, “the attacker must steal the phone or computer even to attempt an attack,” he said. “This doesn’t scale, and is therefore not viable for financially-motivated attackers.”
James Stickland, CEO of Veridium, agreed. “You can purchase a kit from China for $10 to copy and extract a fingerprint. This has been shown to work on fingerprint sensors from Touch ID to the device used for the Indian government, and is a problem for almost all but the most expensive sensors,” he said.
“But this is a problem only when an attacker has access to the user’s device, so the time window for attack is pretty low.”
Of course, not all biometrics remain only on the user device. Some, such as the fingerprints of millions of people who work, or have worked, for government or that are taken by law enforcement, will be stored on servers.
Joe Fantuzzi, CEO of RiskVision, said this might lead to the same risks that plague the healthcare industry, because of its storage of patient data. “Incorporating customer biometric information will essentially make all companies lucrative targets for attacks and ransomware,” he said.
Sign up for CIO Asia eNewsletters.