For decades, biometric security has been a go-to method for countless instances that call for identification verification. But deepfakes are making it increasingly difficult to rely solely on biometric technologies for heightened security. However, the risk doesn’t make these processes futile – there are ways to combat deepfake technology and maintain utmost security for your sensitive information and private properties. This article will teach you how to counter the deepfake risk to biometric security.
The Basics of Biometric Security
Biometric security refers to any identification method that verifies a person’s identity by scanning or analyzing their unique physical or behavioral traits. The five most widely used forms of biometric identification are:
- Facial recognition
- Fingerprint scanning
- Voice recognition
- Eye scans (iris, retina)
- Hand vein pattern scanning
Biometric Security’s History at a Glance
Biometric security has existed for a few centuries, though not in the forms we’re familiar with today. In the 1800s, a man named Alphonse Bertillon started utilizing body measurements to identify and compare jailed criminals. This practice continued to develop for decades and in the 1880s, fingerprinting became part of the standard procedure when taking people into custody.
The biometric security industry saw a rise in popularity starting in the 1960s when semi-auto facial recognition tools were developed and introduced. By 1969, law enforcement used fingerprinting and facial recognition technology so often that the FBI funded biometric security processes.
The next major development of biometric security occurred in the 1980s when the National Institute of Technology formed a group to develop voice recognition technologies. Then, in 1985, the concept of scanning a person’s iris was suggested, as they differ from person to person in the same manner that fingerprints do. Further development resulted in patenting the first iris recognition technology in 1994.
By the early 2000s, hundreds of biometric security technologies were functional in the United States. At this point, biometric security was not confined to only being used by large corporations. Biometric security technologies were also popular amongst local banks, small businesses, and even home security systems. Today, younger generations are familiar with the biometric security available through most cell phones. Apple popularized smartphone biometrics in 2013 with the release of the iPhone 5S, which featured a fingerprint scanner (Touch ID) that allowed users access to their phone’s apps and features.
What Is a Deepfake?
It’s vital to understand what a deepfake is before diving into what makes it so threatening to biometric security. Deepfakes are artificially produced media generated through “deep learning,” a special type of machine learning. Algorithms study examples and learn how to reproduce results that closely resemble those examples.
Although first created as an age-regression method for movies and television, deepfakes have been used for nefarious purposes since their technology became available to the public through the internet. A subreddit (a topic thread on Reddit) was created under the name “r/deepfakes,” and had inappropriate videos that were altered to feature celebrities’ faces. Since then, the technology has been a major concern for anyone with an online presence, from popular content creators to small platforms.
The Deepfake Risk to Biometric Security
Naturally, deepfakes also pose a major threat to biometric security due to their ability to accurately mimic a person’s unique features. A Hong Kong bank experienced this threat first-hand in 2023, suffering a $20 million loss because of a deepfake. An employee approved the large transaction via video call, unaware that the other participants in the call had their features manipulated with deepfake technology. Gartner, Inc. predicts that roughly 30% of businesses and enterprises will deem facial recognition security ineffective by 2030 because of AI deepfakes.
Types of Risks Towards Authentication Using Deepfake
Just as multiple forms of content can be deepfaked, there are also various forms of deepfake authentication attacks: injection attacks and presentation attacks. We’ll describe each type of attack below and highlight each one’s characteristics.
Injection Attacks
An injection attack occurs when a hacker inserts a passing identification method into an unlocked device, allowing them to gain access to any of its sensitive data.
Some examples of injection attacks are:
- Capturing or recording media/data using another device
- Uploading AI-generated or rendered media
- Transferring data through a server to a browser
Presentation Attacks
Presentation attacks are classified as an attempt to gain access to sensitive data by presenting a fake image to a biometric identification tool. Presentation attacks occurred long before deepfake technology’s creation, though in a much less sophisticated sense. Some of the earliest presentation attacks were performed using the following methods:
- Paper face masks
- 2-dimensional photos
- 3-dimensional face masks
- Displaying a smartphone photo of an authorized user to a facial recognition tool
- Stolen video of an authorized user
Some common attack methods using today’s modern deepfake technology are:
- Face-swapping filters and tools
- Altering speech to mimic an authorized user’s voice
- Lip-syncing in alignment with an authorized user’s voice recording
How to Counter the Deepfake Risk to Biometric Security
Even though AI deepfakes constantly become more sophisticated, there are still methods to ensure biometric technology will provide effective security. Below, we’ve listed the best advice on how to counter the deepfake risk to biometric security.
Real-Time Active Authentication
Even with their ever-advancing technology, deepfakes struggle to achieve accuracy with real-time footage. That said, one of the best methods to maintain optimal security is by using active methods as an authentication method.
This is typically done using facial or voice recognition. Your biometric security system will instruct you to repeat a specific phrase or perform a real-time action (e.g., smiling or waving) in order to confirm your identity. A deepfake will generally struggle to repeat these prompts without experiencing some form of glitch or error.
Data Encryption
Data encryption also goes a long way in protecting against deepfake technology. To achieve this, your biometric data is linked to a cryptographic key, which is a unique, randomized series of characters. Access is only granted if the scanned data perfectly matches the encrypted data.
Data that has been encrypted maintains its security, even if its database has been compromised. For this reason, businesses of all sizes and across all industries use data encryption to protect their customer information, as well as other sensitive data.
Adaptive Authentication
The adaptative authentication method analyzes multiple factors, such as risk level, device posture, and location to determine the most secure authentication approach for each individual. These systems often include many advanced features that double down on security if a risk is detected. For example, an adaptive authentication tool can begin to secretly monitor a user’s attempts to gain access if they cannot verify their identity.
Multiple Verification Methods
Most of today’s biometric security technologies rely solely on presentation attack detection (PAD) to verify users’ identities. However, PAD tools are not advanced enough to stop deepfake hackers from gaining access to sensitive data.
For this reason, security experts suggest that using PAD, IAD, and image inspection should be used in conjunction for maximum protection. While IAD technology will scan for any unfamiliar software and hardware, PAD and image inspection will inspect the users’ features to verify their identity.
You can also combine biometric security technology with other authentication methods, such as unique passwords and PINs (personal identification numbers). This way, deepfakes cannot access your sensitive information even if they’re able to pass a biometric scan.
Expert Vendors
You should always work with experts in the biometric security field when you’re unsure of what security method would best fit your needs. Like any other industry, there is a wide range of niches within biometric technologies, and most professionals have their own areas of expertise. For example, some biometric technicians focus more on presentation attack detection, and may not have the expertise to tend to issues with IAD technology.
Technology experts urge those looking for the strongest security possible to search for a technician who specializes in both IAD and PAD. They’ll be able to suggest the best security methods, install them, and tend to any repairs that may be needed.
Heightened Awareness
Even sophisticated AI technology like deepfakes isn’t always able to sneak past a trained human eye. That’s why stressing the importance of deepfake detection is vital to avoiding organization’s database compromises. Keeping members of your organization up to date on the advancements and threats of AI technology makes them better equipped to spot unusual activity and stop hackers in their tracks.
Photoplethysmography (PPG)
Photoplethysmography, or PPG, is a heart rate monitoring method that has become popular for its use in biometric security. According to Deloitte, PPG measures blood volume in the microvascular layer of tissue. PPG does an excellent job of detecting hackers because deepfake technology currently can’t detect heart rate signals.
Stay Vigilant Against Deepfakes
Deepfake technology continues to evolve every day, so it’s important to take the utmost care in protecting your sensitive information. Use the information in this article to guide you through how to counter the deepfake risk to biometric security. Most importantly, remember to contact an IT professional with experience in biometric security to learn how to best optimize your protection.
