Página Inicial Artigos Geral Biometrics as a second factor of authentication
Biometrics as a second factor of authentication PDF Imprimir
Escrito por José Alberto Canedo   

With the main platforms welcoming and integrating biometrics on their authentications systems, this article discuss when and how biometrics can be a security element and what are the major obstacles to its adoption. We show how Microsoft and Google are playing the biometric card.

Identity matters

Historically, human beings have being establishing each other's identities through biometrics. Using complex mental abilities that we don't fully comprehend to this day, we are able to recognize familiar faces, voices, hand writings and even gaits. Obviously we do that by recognizing features unique to each individual, what makes a person that person.

Figure 1. Some types of biometrics currently in use.

As powerful as the human recognition can be, it presents severe limitations in the modern world where we have to deal with machines and even people that don't know us at all, like the officials at the airport. Even when we are interacting with people that we do know, we might need to verify the identity through the machine, like when we're in a chat room.

In security, identity is the claim user do when they want to access a system. Automated systems are not as smart as human beings and, naturally, the biological recognition was substituted for simpler forms of identity representations, like user names, ID cards, certificates (public keys) and ATM cards. Numbers and strings of characters are easy to process, store and compare and the creation of this "surrogate" identities are more or less simple:

  • Breeding documents like birth certificate or driver's licence are verified by human operators and a new surrogate identity is generated, like a passport or an e-mail.
  • Inside the system this surrogate identity in uniquely tied to the original identity, so the original identity does not need to be verified again.
  • With the surrogate identity, the claim is easy and can be done to an automated system.

Identity versus authentication

An Identity, whether full or surrogate, is public. Claims of identity always use something that's publicly available, like yourself, your user name or even your public key. The fact that your identity is public does not represent a problem, in fact we should always consider this a truth no matter how the claim is made (biometrics, usernames, card ID, etc.) and start from there to build more secure computational environments.

Authentication is the process of proving your claim. In all non-trivial system, there will be a need to prove that the claim is not been made by someone else in an attempt to fool the system.

Figure 2. Something you are is a very good way to establish an identity; something you know is a very good way to prove it.

The most popular authenticators are the passwords, the private key in your certificates, and the PIN as the ones used in credit cards. The most important thing about these authenticators is that they must remain a secret known only to you for as long as they are valid. In some case the system also needs to know the secret in order to authenticate or in other (better) cases it can validate the secret without knowing it. Possessing this secret and being able to present it to the system proves you claim and normally is the last barrier before you have access to the system.

It's very important that identity and authentication remain two separated things as one is essentially public and the other necessarily a secret. Since biometric features like our faces and voices are remarkably public we can infer that biometrics can be a very important tool to establish identity, but it cannot be used as a single factor of authentication.

Single factor of authentication

Using biometrics as a single factor of authentication is not a very good idea, because in fact your biometric features aren't secrets. Even our fingerprints and our DNA can be easily acquired by mildly motivated individuals. To make things worse they aren't revocable and once compromised, forever compromised.

One can say that I'm not making a good case for biometrics, but as we'll see, it is not that simple to fool biometric systems, even after having acquired a sample of a person's biometric. The other factors of authentications aren't very robust by themselves and biometrics can be a perfect companion for two-factor authentication.

Unlike biometrics, other forms of identity (and authentication) suffer from numerous problems:

  • Aren't strongly tied to their possessors and can be lost or stolen;
  • Allows perfect forgery, beyond detection;
  • Impersonation is flawless;
  • Can be shared among multiple individuals;
  • An individual can have multiples identities.

The most common factor of authentication is the password, a memorized code that relies strongly in the user's memory, can be easily forgotten and stolen and in some cases even guessed. Once in possession of an impostor, the impersonation is perfect and undetectable. In a recent LinkedIn breach, although the database was hashed, more than a hundred thousand passwords were cracked according to Rapid7, a vulnerability management company, and the five most common password they found were link, 1234, work, god, job.

The lesson learned from numerous similar situations is that there is no silver bullet and single factor authentication can fail miserably, even for high tech solutions like biometrics.


Biometrics is the automated detection, processing and comparison of physical or behavioral characteristics to establish or verify an identity. The most used physical features are the fingerprints, the face image, the DNA, the iris image, voice print, signature and gait. The last four are strongly affected by the behavioral characteristics of the individual.

Although the uniqueness of some biometrics like fingerprints are already proven, is extremely difficult to develop systems that acquire good reliable biometric features, always match acquired features with the correct identity (thus eliminating the false negative) and never match acquired features with an incorrect identity (thus eliminating the false positive). Normally, when you minimize false negative, the possibility of false positives increase and vice-versa.

Was already said that biometrics are easy to steal, but they are difficult to forge back to the physical world. Creating a real finger from a fingerprint or a face from a photo are very specialized skills.

Of course simpler systems can be fooled. Like in any technology, there are low-end non-security oriented options that can be fooled by a photo of a person in front of a camera; and there is more advanced security oriented systems that verify the liveness of a person by its facial expressions, blink of the eyes, the temperature of your finger or the blood vessel reflections of very specific wavelengths. The key here is that the system needs to read the biometrics and also make sure the biometric acquired came from a real human being.

Overview of a biometric system

In a nutshell, biometric systems are pattern recognition systems that can recognize highly distinctive patterns and associate them to a person. The biometric system will later have to validate claims by comparing freshly acquired samples to the patterns stored under that identity.

A biometric system can be divided in four main subsystems: data acquisition; data analysis and template extraction; template storage and template matching and decision. As in many systems the transmission channel is also very important for security considerations. Two processes are very important to understand a biometric system: enrollment and matching.

Figure 3. Processes and subsystems in biometrics

Data acquisition is a critical part of the system for several reasons. To begin with, the quality of the acquired data (photo, video, audio) is very important when you are making a claim of identity and vital when you are enrolling your identity into the system. Furthermore, biometric sensors need to evaluate liveness in a robust manner, i.e. the sample has been acquired from a human being and not from a fake representation of a biometric sample like a silicone finger or a photo of a person. Not less important is the human factor, the system need to guide the user and help him as much as possible to minimize behavioral factors like poses, intonations of voice, etc.

Data processing minimize environmental and behavioral variations like shadows and pose angle, remove unnecessary parts, and process only the biometrics in question. In iris recognitions, for example, once the iris is detected, the whole eye image is discarded and only the relevant part is processed to determine the unique features. Depending on the type of biometrics the feature extraction involves image processing, pattern recognition, statistical analysis, computer vision and even neural networks. While some biometric features are well known, like the DNA and the fingerprint minutiae, other features are much less obvious and remain technical secrets.

The resulting set of features obtained from feature extraction is called template. Normally the template is saved to a database, but other alternatives exist, like storage in the sensor, in the local machine and even on a smart card.

The final step of a biometric system is the matching, where the features are compared to determine the correlation or similarity degree. Mathematical analysis of features leads to a score and based on previous statistical analysis, is possible to determine if that score is enough to confirm the claim, otherwise the claim will be rejected. Two templates of a same person are never the same due to changes in acquisition and behavior. For the same reason, biometric systems will never get to 100% accuracy; although it can get really close (99.9999%).

In the enrollment process we put together data acquisition, template extraction and storage. Quality analysis is very important in this process and is normal for a system to take several samples either to choose the best or, in more advance scenarios, to merge them to get a 'super' template. The self-enrollment is very common for IT scenarios, so friendly user interface and robust acquisition are very important.

In the matching process, we put all biometric subsystems to work at once, but now, with speed in mind. A new template is generated, the comparison template is retrieved from the database, a comparison is made and a decision about the claim is taken. All that needs to happen fast (1 - 2s) so users do not see biometrics as an inconvenience.

Biometrics as a second factor of authentication

In computer systems the traditional way of authentication is the password, which relies heavily on the human factor. Unfortunately, memorizing passwords is not an easy task, so people choose easy ones and share them among several systems. A recent study from Microsoft Research shows that the average internet user has 25 password accounts, but only 7 passwords that are shared among them. On top of that we still have our bank accounts and corporate accounts.

Strong password policies can mitigate part of the problem, but we still can't prevent users from write down their passwords or to reuse its corporate password in LinkedIn account, for instance. Other ways of stealing users' passwords like Trojan horses, phishing and database compromise keep piling up, showing that passwords alone can't be considered very secure.

Biometrics on the other side is an intrinsic characteristic that doesn't depend on user action. It's complex and hard to copy but the user doesn't need to learn, we just need to be. Of course biometrics aren't secret like passwords and on secure systems we will not use it to verify the claim. But we can use it to reinforce the claim to a point that we are almost 100% sure that the claim is being made by a genuine user and not an impostor. Using passwords as the secret to verify this claim suddenly doesn't seem so risky.

Today, biometrics is used for authentication in systems as diverse as operating systems, websites, enterprises applications, virtual private networks and secure thumb drives. The most used technology is fingerprint recognition because of its precision. Face and voice recognition are becoming popular due to the almost universal availability of cameras and microphones in modern hardware.

In this article we analyze two biometric authentication systems, one embedded in consumer products and consequently designed towards convenience and the other designed for security and integration with corporate authentication solutions.

Android Face Unlock

Starting with Android 4.0, Google added to its mobile operating system the ability to unlock the device using nothing but the owner's face. Face Unlock benefits from the fact that frontal cameras are common place on android mobile phones and tablets.

Google's facial recognition technology is the state-of-art in the field and fruit of years of research in start-up companies later acquired by Google (PittPatt and Neven Vision). They continue to advance their research and to apply it to other Google products besides Android Face Unlock (Google Goggles, Picasa, Google Maps, Image Search and YouTube to name a few).

The final result is fairly advanced and Face Unlock is a quite convenient feature. The first step is to choose Face Unlock as your screen lock. Select Settings, Security and then Screen lock.

Note that Android provides you a fair amount of screen lock options (None, Slide, Face Unlock, Pattern, PIN and Password).

Figure 4. Security and Screen Lock option on Android 4.1

After selecting Face Unlock we start the enrollment phase. A few remainders are provided by Google: Face Unlock is less secure that pattern, PIN or passwords; someone that looks similar to you (siblings for example) could unlock your device, illumination matters (not too dim, not too bright) and position matters, so it is better to enroll indoors holding the device at eye level.

The enrolling consists of holding the device for 4 to 10 seconds while the algorithm capture and analyze several video frames. The whole time you can see the video of your face and align it with the 'ideal' face represented by dots on the image.

When finished, you are asked on how you want to unlock your device when Face Unlock can't see you. Now, this is very important. Every biometric application in the world needs a contingency strategy, because biometrics is not 100% effective. Knowing this beforehand increases the chance of success for biometric projects. On Android you can provide a pattern or a PIN as contingency unlock. That's all; you are ready to unlock your Android device by looking at it.

During the unlock process, that takes 1-2s, you just have to look at the device and in case of any problems fallback to your PIN or pattern. In Android 4.1, Google introduced an additional security feature, the 'liveness detection'. With liveness detection activated, Android is going to ask you to blink during unlock, that way it can rule out simpler ways of spoofing.

Figure 5. Unlock with liveness detection and pattern drawing as fallback mechanism.

Of course, simulate a blink is not that difficult these days and both, Android 4.0 and 4.1, have been spoofed easily, by getting someone photo on Facebook, paint over its eyes to simulate a blink and alternate between photos with eyes open and closed while holding the device in front of the monitor.

As we already discussed, facial imagery is not a secret and Google's Facial Unlock is not a security feature and it wasn't designed to be one. If it was so, Google would have opted for two factors of authentication, using a password, pattern or PIN as the secret part for authentication of the claim of identity. The liveness detection can be improved as well. Google could, for example, ask the user to say randomly picked words at unlock time, this way it could tie the face with the voice and guarantee that the text said is not a pre-recorded one. Or even further; move to biometrics that are harder to spoof, like fingerprint recognition and vein pattern recognition.

Windows Biometric Framework

The Windows Biometric Framework, or WBF, is part of Microsoft's strategy to leverage multi factor authentication that includes also the support to Smart Cards. Starting with Windows 7, Microsoft added a new set of components to Windows to provide support for fingerprint biometric devices and fingerprint authentication. These components are available in Windows 7, Windows Server 2008 R2, Windows 8 and Windows Server 2012.

Instead of implementing the whole biometric authentication system, Microsoft specified and implemented a framework, and partnered with biometric companies that would provide the biometric device and algorithms. Having a framework is important because improves the security, quality, reliability and consistency of the user experience while maintaining the ability to choose the preferred biometric provided and the most suitable biometric readers.

WBF components include a driver interface definition, a plug-in platform, an API for client applications and a biometric device control panel. WBF also support core scenarios of logon, User Account Control (UAC), management components for biometric configuration, locally and globally, for a domain through Group Policy. Not less important, third party components can be distributed through Windows Update.

Figure 6. In green and orange the drivers, plug-ins and applications developed by ISV/IHV.

Figure 6 shows how the responsibility is divided between Microsoft and its Independent Hardware/Software Vendors (IHV / ISV). It is also important to note that these separations are also security barriers. The Windows Biometric Service allows client applications to capture, process, compare and store biometric data without ever giving them access to any biometric hardware or samples. WBF is hosted in a privileged SVCHOST process, as seen in Figure 7.

The WBF creates a standard way for developers to integrate with Windows operating system; it works like an abstraction layer for sensors, engines and storage. All components look and behave exactly the same in the developer point of view. Let's take a look at each item in Figure 7:

Sensor - Is the biometric device provided by an IHV.

Sensor Driver - the system driver provided exclusively by the sensor manufacturer, it must be compatible with the biometric driver stack (WBDI).

Biometric Driver Stack - provided by Microsoft, is the new interface that all sensor drivers must attach to work with the WBF.

Sensor Adapter - provided by Microsoft, virtual representation of the sensor on WBF. ISVs can develop it too.

Engine Adapter - provided by an ISV, provide the matching and extraction capability to the Biometric Unit.

Storage Adapter - provided by Microsoft, virtual representation of the storage. ISVs can develop it too. Windows has the DPAPI (Data Protection API) that is used to protect secret data like cryptographic keys. To do that DPAPI use "secret information" related to user and the operating system. This data can only be recovered on a user opened session, when this "secret information" became available to the operating system.

Biometric Unit - A logical unit related to one sensor, one engine and one storage.

Windows Biometric Service Provider - so far, here is only one BSP (fingerprint provider) and is provided by Microsoft.

Windows Biometric Service - provided by the ISV. The service that manages biometrics; the entry point for applications.

Client application - A software using the biometric service, it can be the Windows Logon, a simple enrollment application or complex enterprise applications.

Figure 7. There is a security boundary between the WBF and its applications.

In the development of the Windows Biometric Framework, Microsoft partnered with Authentec, UPEK, Digital Persona and Validity, so when Windows 7 was released, they already had a decent offer of WBF software, and today most of fingerprint sensors are compatible with WBF.

Using the WBF

For this article we used Authentec's Protector Suite 2012. This application supports Windows 8 and can integrate with Chrome, Firefox, and Internet Explorer for web passwords replacements. In addition, is possible to create biometric-protected encrypted virtual drives. Authentec is an early innovator in the field of biometrics with more than 100 million fingerprint sensors shipped. They were recently acquired by Apple, who of course has immense interest in mobile authentication.

Once Protector Suite is installed on your computer, Windows provide you with links on the control panel to access the FMA (Fingerprint Manager Application), We can see by the picture 9 that Authentec provide duplicate links to its FMA, this happens because using Windows link you will have to first select the desired fingerprint sensor, where in most cases will be only one option.

Figure 8. Access to FMA on Windows Control Panel.

After enter in the FMA, you will be asked for your password, a necessary security measure, and after that we will have access to configure the biometric authentication. On non-domain computers all policies and configurations will be done on the FMA. It is possible to enable, disable or limit the user of biometrics for local computer. On domain computers it is possible to set the same policies plus policies regarding logon for domain users using biometrics.

Considering that biometrics will be enabled, two settings are really important to security. The first one is whether the biometric algorithm will operate on a convenient level or on a secure level, meaning whether the decision threshold will be lower or higher. Lower threshold yields less false negatives (failed logon attempts), but increases the chance of a false positive (successful impostor logon). Higher threshold works the other way around.

Figure 9. Setting the security level.

The second important setting is whether Windows password will be required or could be bypassed. Bypassed here doesn't mean that Windows is not using it to authenticate but merely that protector suite is saving it (encrypted) and entering it for you after verifying your fingerprint. Note that this is not the same as not having a password, since your password is pretty much needed to logon to any other computer or resource in the network.

Figure 10. Allow Protector Suite to bypass logon using your password.

Having to use the fingerprint and the password every time is the kind of dual factor of authentication that we consider strong. But is very interesting to consider that if you have passwords and do not need to type them every time, that's still dual factor and we can even argument that by not typing your password, you decrease considerably the chance of having it stolen and you can set stronger passwords. Password resets can be reduced as well, providing economic gain.

All that clarified, we can now enroll and start to login using fingerprints (and/or passwords).

The process of enrollment is straightforward; first, you have to select a finger (it's recommended the use of index or middle fingers, and to enroll at least two different fingers). The enrollment software instructs you on how to apply the finger and normally requires you to do it several times so that the algorithm can assemble the perfect template.

Figure 11. Select a finger to Enroll.

Figure 12. The application will ask you to scan your finger several times.

The login process is much simpler, it consist of the traditional windows login screen requesting that you place (or swap) your finger in the fingerprint sensor. Since this is a security feature, the fallback is the same as when you forget your password: It allows you to try the logon for a configurable amount of times and then locks down the workstation. If you can't log at all, you will need technical support.

Figure 13. Windows 7 logon screen.


To put in practice two-factor authentication with biometrics a basic knowledge about this technology is required. To leverage it for security purposes it's important to know that biometric companies too often exaggerate the security characteristics of biometrics and understand where those characteristics really stand in the real world. Often, biometrics comes in hand in the matter of establishing a strong identity to start a claim. But biometrics come short when it comes to authenticate claims, because our biometric features aren't secrets and it's not safe to authenticate one's identity based on a facial image, for instance.

It looks like biometrics is moving towards widely acceptance and improvements on technology (for identification and for liveness detection) guarantee its place on convenience applications and security as well. I'm convinced that biometrics is the best second factor authentication that the security community could hope for.

About the Author

José Alberto Canedo has 12 years of experience in biometrics on the development of award winning fingerprint recognition algorithms, access control systems and large scale AFIS system. He's a Certified Biometrics Professional by the IEEE and the founder of ForumBiometria.com, a website dedicated to biometrics.


This article was originally published in the Pentest Magazine Issue 10/2012 October



Copyright © 2010-2011 Fórum Biometria.  Todos os direitos reservados.