Better Biometric-based Authentication

February 20, 2018  |  By Joel Odom

Authentication is the process of a computer verifying the identity of a user. The authentication process may happen when a user unlocks his phone, when s/he logs into a website, or when s/he initiates a sensitive activity, such as an electronic payment. Historically, biometric-based authentication schemes, such as voice or facial recognition, are difficult to implement because a determined attacker can use tricks such as voice recordings or photographs to fool naive biometric-based authentication schemes.  However, researchers from Georgia Tech recently demonstrated "rtCaptcha," a biometric-based authentication scheme that uses real-time video, voice, and a challenge question for account access, which hackers would have to crack in 0.75 seconds in order to forge a response.

"Authentication is a hard problem. Humans are designed with the natural capability to recognize other humans with ease, but computers don't naturally have the ability to distinguish me from my brother or from Julie Andrews. Because it's difficult for humans to remember good, highly-entropic passwords, currently the best practice for computer authentication (recognizing the right individual) is two-factor authentication. Nevertheless, two-factor authentication can fail when an attacker is determined enough. For example, SMS-based authentication is known to be weak against attackers who have the capability to spoof a target's phone. Furthermore, standard two-factor authentication doesn't have a good way to verify that an entity being authenticated is actually a human other than by presenting a CAPTCHA as an additional step in the process.

A good authentication scheme must balance ease of usability for humans against system security. The new combination of CAPTCHAs and biometric authentication presented by "rtCaptcha" is a clever way to achieve this goal. I don't see this completely replacing typical, rolling code-based authentication, but I do see using rtCaptcha as a third factor in certain cases. High-value targets such as corporate executives, political leaders, or system administrators could benefit from using rtCaptcha as a third factor to protect to critical accounts under their control.  Or, if a login appeared to be suspicious (based on heuristic factors), the authenticating computer could employ rtCaptcha to raise the barrier against a successful attack. The future of authentication will combine multiple factors combined in various ways that are natural for humans to use but that still make it difficult for impostors to gain illegitimate access.

For the purposes of full disclosure, I should point out that I know some of the paper authors personally, though I was not involved in this research."


For further reading


Joel Odom leads a team of researchers focused on software security as branch head for the Cybersecurity, Information Protection, and Hardware Evaluation Research (CIPHER) Laboratory at the Georgia Tech Research Institute. He and his team research static and dynamic software analysis, software testing techniques, software reverse engineering, and software vulnerability discovery and mitigation.

More by the author(s)