23 Feb 2024
by Owen Morgan

Bolstering biometrics: combatting presentation attacks on business systems

Guest blog by Owen Morgan, Consultant, Solution Architect, AtkinsRéalis

Biometric systems have come a long way since some fingerprint access methods could be infiltrated with a gummy bear sweet bearing the owner’s print and some image recognition systems could be fooled by similar looking siblings, or by holding up a picture.

Today, fingerprint recognition is 3D – which is why we roll our fingers around when setting it up – and image recognition is advanced enough to detect a real person, dramatically improving its accuracy. People are identified and verified digitally by something they either have (e.g. proof of identity), know (e.g. a PIN) or are (e.g. facial recognition). The strongest authentication involves a combination of all three.

However, advances in Artificial Intelligence (AI) technologies raise questions over its potential use to spoof biometrical systems with ‘presentation attacks’.

A presentation attack, in essence, is a deceptive technique employed to exploit vulnerabilities within authentication and security systems. Often referred to as ‘spoofing attacks’, they involve the deliberate submission of falsified or counterfeit information with the intent to deceive a system into granting unauthorised access or privileges.

This could pose a significant threat, particularly to critical systems that rely upon the accuracy of user identification. For example, ‘smart gates’ at airports use facial biometric systems to ensure passenger security, so it is essential that they cannot be ‘spoofed’. Further, emerging technologies are enabling baggage drop systems which link individuals’ luggage to the biometric facial data registered on their smartphone. The integrity and dependability of biometric-based authentication methods will be critical.

In the face of this evolving threat a robust solution is emerging, one that blends the power of technology to detect ‘liveliness’, to analyse real-time behaviours, and to undertake a diverse mix of biometric checks. This comprehensive approach not only prevents presentation attacks succeeding, but also verifies users more precisely and effectively, reinforcing organisations’ defences against unauthorised access, and highlighting the importance of staying committed in the face of challenges to biometric security measures.

Detecting ‘liveliness’

Businesses like to use biometrics for authentication due to their simplicity and perceived security. However, the rapid strides made in AI technologies are enabling ever-more sophisticated presentation attacks, casting a shadow of doubt upon their effectiveness. If security authentication systems falter when identifying genuine from fraudulent access attempts, they could grant access to unauthorised users.

There is a looming potential for a surge in presentation attacks that take advantage of system vulnerabilities: from the use of photographs to spoof facial recognition systems, to the sophisticated act of presenting ‘deep fake’ videos of users, in an attempt to replicate subtle facial movements and expressions. These attacks may further escalate, with the use of three-dimensional masks designed to replicate not only biometric traits, but also the behaviours linked to facial features and motion.

To combat these challenges, the implementation of protective measures, alongside well-established security measures, becomes essential. ‘Liveliness detection’ ensures that the biometric data originates from a living, real person rather than a counterfeit.

Another layer of protection lies in the integration of random challenges – engaging puzzles that only humans can decipher. These reaffirm human interaction, making it difficult for automated fakes to pass through.

The combination of various biometric traits alongside these challenges with existing measures establishes a robust and secure authentication process. It is important to acknowledge that, while these measures may slightly extend the processing time and add a marginal cost, the gains achieved are monumental. Liveliness checks and puzzles are, however, of importance as they are two additional identity verification measures that AI cannot mimic.

Strategies for strength

During this transformative journey, AI assumes a pivotal role. It guides us in understanding and adapting to the tactics employed by attackers, ensuring that we consistently differentiate between authentic and counterfeit biometric data and securing the authentication process through multiple safety mechanisms. The benefits that stem from safeguarding our systems encompass a spectrum, from improved customer interactions to fortified business security. Although these protective measures may occasionally decelerate processes and involve a modest cost escalation, their impact is far-reaching. They not only bolster trust and strengthen partnerships, but also resonate with loyal customers who hold secure systems in high regard.

Ultimately, these strategies merge into a fortified shield that encompasses security, trust, and assurance. This amalgamation empowers the safeguarding of our digital realm against presentation attacks. By wholeheartedly adopting these clever methods, we not only ensure the integrity of our digital business, but also strengthen its ability to endure against the constant evolution of threats. Biometric verification benefits business by increasing security and preventing fraud, improving the customer experience, and potentially reducing operational costs, offering a competitive advantage. It can deliver increased trust, stronger customer relationships, and ensure compliance with data protection regulations, contributing to business growth and success and ensuring that our systems remain safe.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more

Join techUK's Cyber Security SME Forum

Our new group will keep techUK members updated on the latest news and views from across the Cyber security landscape. The group will also spotlight events and engagement opportunities for members to get involved in.

Join here

Cyber Security updates

Sign-up to get the latest updates and opportunities from our Cyber Security programme.





Owen Morgan

Owen Morgan

Consultant, Solution Architect, AtkinsRéalis