Content

How vein recognition may change the authentication game

Apple CEO Tim Cook kicks off the company’s September 2020 event. Today’s columnist, Rolf Lindemann of Nok Nok Labs, writes about how Apple’s recent patent for vein recognition technology based on the Apple Face ID could dramatically improve device authentication.
Apple CEO Tim Cook kicks off the company’s September 2020 event. Today’s columnist, Rolf Lindemann of Nok Nok Labs, writes about how Apple’s recent patent for vein recognition technology based on extending the Apple Face ID to facial veins could dramatically improve device authentication. (Credit: Apple)

Here’s a riddle: What has five letters, sits close to the heart and keeps human beings safer than most security tools on the market? The answer: Your veins.

Vein recognition has emerged as one of the hottest ways to combat the security challenges associated with existing facial recognition technologies. A number of negative cases around facial recognition have been in the news — identical twins fooling Face ID and a 10-year-old son unlocking his mother’s mobile phone.

So what makes vein recognition different?

Let’s look at Apple’s approach to looking at the facial vein structure in the patent it filed earlier this year for the technology around the Apple Watch. The company’s strategy brought much-needed innovation to physiological biometrics regarding both ease of adoption and increased security.

Put simply, Face ID devices already use infrared light. And infrared light has proven suitable for vein detection. Therefore, extending Face ID to facial veins will not need substantial hardware changes.

In comparison, the hardware changes that come with other devices that aren’t already using infrared technology bring a new spectrum of risks for the device makers. For example, unexpected behavior could arise and affect usability. Remember the Samsung Galaxy Fold debacle? Not only was the product itself defective, but Samsung’s brand reputation was also defaced as users took to social media and the CEO admitted embarrassment. While not all hardware changes are as big as adding foldable displays, they do come with some risk and there are no online updates for hardware.

The adoption of fundamental changes takes time and likely even multiple device generations to get it entirely right. Even smaller, more slight hardware modifications that the hardware makers could add in less time still need to wait until the next device model, making Apple’s Face ID devices the clear approach for seamless ease of adoption.

Now let’s talk security. When it comes to facial recognition, many consumers are concerned with the twin-attack and the technology’s overall security. However, more considerable risks exist: consider presentation attacks like this one where researchers cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, the combination of which tricked an iPhone X into unlocking. In practice, these presentation attacks are much more relevant than the twin-attack. Only a few people have such twins and twins are  statistically unlikely to attack their parents or anyone else. Don’t get me wrong, even presentation attacks are hard to run as the attacker first has to get access to a phone. And getting access to the phones of other people doesn’t really scale. In other words, we have seen billions of passwords stolen, but not billions of stolen phones.

Facial vein detection has the potential to improve the presentation attack protection significantly because while it’s possible to print facial images and even face masks today, it’s not easy to print the correct infrared-light detectable vein structure.  First, images on Facebook don’t expose a person’s infrared vein structure and second, it’s not possible to print the structure with typical hardware such that it looks similar when looking at the infrared picture of it.

But how can we leverage these new and improved modalities in the market quickly and easily? With FIDO authentication, the right abstraction layers are in place to introduce new modalities and get instant interoperability with apps and server-side authentication infrastructure. This makes the adoption of new biometric methods faster and fosters innovation.

Furthermore, getting such facial vein-based authenticator FIDO certified – including the biometrics – lets relying parties understand the improved security level. It’s another advantage from meeting the FIDO Alliance requirements for presentation attack protection. The Alliance will likely make these requirements more strict over time, further helping to combat both presentation attacks, as well as a wide array of other scalable attacks.

Very similar to scalable business models, scalable attacks come with a negligible variable cost, and digital technology gets misused and reaches millions of victims. There have been countless attacks to steal passwords from servers, and the magnitude of these incidents boils down to a few considerations.

First, with these scalable attacks, the attackers are potentially located anywhere in the world and still affect the victim. Second, there’s not only one person affected, but millions or even hundreds of millions. As a result, there’s a significant global damage, to say the least.

Stealing passwords from servers is just one example. Remotely attacking lots of user devices for stealing credentials, misusing credentials on a device, or misusing authenticated sessions are other examples of scalable attacks.

Beyond this, vein recognition can also protect against targeted physical attacks — a noticeable security concern given that out of the 55.5 million smartphones in the UK in 2018, 329,000 were stolen. While these attacks are less scalable given the cost and effort required to steal a single device, it’s still a substantial problem, and therefore consumers still seek protection against such cases.

The FIDO Alliance runs an Authenticator Certification program to combat this issue that supports multiple security levels. Level 1 and 1+ focus on attacks via malware. Levels 2 and 2+ add some protection against physical attacks, and Level 3 and 3+ adds substantial protection against physical attacks. For example, Level 3 and 3+ offer protection against extracting secrets from stolen devices taken into labs for “decapping” the chips to extract the secrets.

In conjunction with the security running through people’s veins, professionals and consumers alike can take advantage of the smartest, easiest combination of security protocols to protect themselves and their assets. While actual products with vein biometrics are several months, if not years away, the technology shows great promise. When in doubt: trust what’s in your blood.

Rolf Lindemann, vice president, products, Nok Nok Labs

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.