A new biometric technology that literally waves goodbye to passwords is due to be announced by Hitachi Europe Ltd. on September 10. This first-of-a-kind technology couples Hitachi’s proven secure finger vein technology with any device that has a camera. So, could this be the beginning of the end for not only passwords but fingerprint scanning and facial recognition systems? I’ve been taking an exclusive first look at the new hand gesture biometric authentication technology.
1. How does Hitachi’s hand gesture authentication work?
Hitachi has been a leading player in the biometric authentication business for many years, with its finger vein biometrics used by banks to replace passwords for authorizing transactions. Indeed, the technology was first deployed in ATMs in Japan in 1997. “While fingerprint technology maps the external surface of your finger to detect the ridges,” Ravi Ahluwalia, general manager at the Hitachi Security Business Group (EMEA and NA) says, “finger vein technology reads the vein patterns within your fingers using ambient or infrared light to detect the vein patterns.”
Using the existing camera in your laptop or smartphone, there’s no need for any additional hardware or special sensors, the hand gesture technology scans the unique vein patterns in all fingers when the user waves their hand in front of it. Hitachi creates a data set description using a proprietary one-way algorithm; this is then encrypted with AES-256 encryption and “some other factors” to produce what Hitachi calls an encrypted template, but not an image of the vein patterns. “There are other security features included in our eco-system,” Ahluwalia says, “however for obvious security reasons we choose not to publish them.”
“If a technical breach of security resulted in the harvesting of the encrypted templates they would be of no use to a bad actor as they would not be able to reverse the encryption,” Ahluwalia says, “even if that was possible, it would result in a data template which would provide no useful information to them and they would still be unable to reverse the process to retrieve the biometric data.”
2. What about the threat from fakes?
That fingerprints can be relatively easily faked is not new news, but every time the latest fingerprint scanning technology is hacked another nail is hammered into the coffin of this biometric.
As for facial recognition, Ahluwalia says that “it’s true that some facial systems are very secure, but those commonly used within consumer technology are more of a convenience feature than a true security method.” Examples of convenience over real security have been seen with Apple’s iPhone FaceID being fooled by a pair of glasses recently and Android faring no better when confronted with a 3D-printed head.
“Finger vein scanning requires that blood is flowing in the veins, adding another level of security,” Ahluwalia says, “it is significantly more difficult to forge a finger vein pattern compared to other methods.” Which isn’t the same as impossible. However, the finger vein, being an internal biometric, is much harder to capture without the user being aware of the process happening. “We have developed several methods of detecting the presentation of pictures and fake hands,” Ahluwalia says, “the new solution will benefit from the technology that Hitachi is using in compliance with the ISO/IEC 30107-3 standard for the testing of Presentation Attack Detection.”
3. As a software solution, is camera hardware a security weakness?
By implementing a solution in software that uses existing camera hardware, Hitachi does away with the need for hardware tokens, smartcards or biometric readers. This not only saves money for the user but hassle as well. However, does it introduce a higher risk of compromise considering that there are plenty of known exploits that target webcams and the like? Not so, according to Ahluwalia. “Even where the camera has been compromised,” he says, “all the attacker can do is receive a video stream from the camera which does not impact our solution.” To attack the authentication process, the attacker would need to have already achieved a level of control over the PC which, in fairness, would make every other security mechanism already compromised anyway.
The template, created by the Hitachi hand gesture biometric solution, which isn’t an image, remember, but an analyzed derivation of it using a one-way algorithm, when stored at rest is “not in a human-readable format,” Ahluwalia says, “it’s encrypted and impossible to reverse back to the source biometric data.”
4. Is this the beginning of the end of passwords?
That IT is moving towards a passwordless future is beyond doubt as announcements from Google about replacing passwords for 1.7 billion Android users and Microsoft’s move towards passwordless authentication for Windows 10 users indicate.
“Our solution works with any standard laptop camera or webcam,” that is 720p resolution and above, Ahluwalia says, “simply by raising their hand, a user can authenticate to their computer. This means that the user doesn’t have to remember or continually re-enter and change their password.” Passwords will always have a human knowledge sharing weakness and password re-use across systems and services is at the heart of many of the data breaches you read about. “The removal of password entry is key for protecting users and businesses from cyber-attacks,” Ahluwalia says, “80% of all cyber-attacks start with a compromised password, and phishing attacks go away with the removal of password entry.”
Not everyone is convinced that biometrics is the answer on its own though. “The catalog of breaches in recent years, combined with people’s poor choice of passwords and the reuse of the same passwords across multiple services,” David Emm, principal security researcher at Kaspersky, says, “means that passwords are increasingly seen as a weak form of authentication. Biometrics are more or less frictionless, while passwords are an extra gate to go through to gain access to a service” Emm doesn’t think that biometrics are a panacea however and believes “biometrics are best used to replace usernames, not passwords.” Emm maintains that the established advice about using multi-factor authentication still stands: “two or more of something you are,” Emms says, “something you have and something you know.”