Posted: 1 Min ReadFeature Stories

BlackHat 2019: Researchers Find Way to Fool Biometric Authentication

Xuanwu Lab uncovers techniques that can bypass “Liveness Detection” features in biometric-base defenses

When it comes to biometric authentication, might your face or finger also turn into your Achilles Heel?

It’s no longer a far-fetched idea. Computer scientists from China’s Tencent Security Xuanwu Lab have uncovered ways to fool the classic biometric authentication process into mistakenly approving access to devices by unauthorized users.

Biometric authentication is one of the fastest growing segments in the security industry. It uses facial recognition, fingerprint recognition, handwriting verification, hand geometry, retinal and iris scanner for user identification. It’s viewed as an improvement over two-factor authentication, which is vulnerable to attack through brute force, phishing or third-party login processes.

Along the way, computer scientists created a technique they refer to as “liveness detection,” which is essentially the act of differentiating a feature space into live and non-living. The algorithm factors in several combinations of physical human traits that collectively determine whether the individual present is alive, thus countering imposters who attempt to bypass defenses by introducing a large number of spoofed biometrics into system.

These findings were publicly shared by Xuanwu Lab researcher HC Ma Wednesday at the BlackHat USA 2019 conference that’s taking place this week in Las Vegas.

The Xuanwu Lab researchers were able to exploit a defect in a liveness detection algorithm that allowed them to compromise a biometric-based login or password recovery function and then log into a target’s account remotely by injecting fake video or audio streams which were generated from a face photo or a short phone recording.

The Xuanwu Lab team also resorted to very low-tech tactics to pull off a very high-tech caper. They demonstrated how they successfully got a smartphone’s facial recognition features to unlock a protected device. They only needed to tape manipulated photos of eye images on a pair of ordinary eye glasses that were placed above a sleeping victim's face to bypass the attention detection mechanism of the device’s FaceID features.

According to Ma, they were able to modify the eyeglasses “in less than 2 minutes.”

Symantec at Black Hat 2019
Symantec at Black Hat 2019

About the Author

Charles Cooper

Consulting Editor

Charles Cooper has covered technology and business for more than 25 years. He is now assisting Symantec with our blog writing and managing our editorial team.