Quantum Computing and Biometric Security: Enhancing Authentication
Using biometrics for authentication purposes has been part of security systems worldwide since 500 BCE, when the Babylonian empire introduced a system of closing business deals by pressing fingerprints into clay tablets, which were then kept as receipts and records. Its evolution has been a fascinating one, and, whether it’s the current automated system first used by the US Federal Bureau of Investigation in the 1960s or using that tried and tested fingerprint method, it’s an authentication type that’s here to stay.
The most common biometric techniques
Of course, one only has to watch a low-budget spy thriller, or read about an unfaithful lover’s fingerprint used to open a smartphone while they’re asleep, to know that it’s certainly not the most fool-proof security system.
Currently, there are both contact biometrics (such as fingerprint scanners/sensors) and contactless (iris scanners, voice-recognition or facial recognition), and of those two groups, the subgroups are broadly divided into the following categories:
Chemical: segmental DNA analysis
Visual: iris/retina/face scanning
Behavioural: walking and body signatures
Olfactory: body odour and pheromone analysis
Auditory: voice recognition
While some of these are so common, they’re in low-level government buildings, enterprise businesses and even on our mobile phones, others are only in use in high-security situations.
But all of them have the same issue: they’re hackable (at varying levels, of course – mimicking someone’s walk or voice is a lot easier than mimicking their pheromones!).
Common cybersecurity issues
While the highest threat to any security system is still social engineering masquerading as the real deal, there aren’t many systems where a user could be fooled into, say, an iris scan initiated via email. It’s still possible, of course, but one would like to think that the people operating where higher level biometrics are used are a bit more savvy than the average internet user.
The most common types of cyber attacks against biometric security, then, are things such as spoofing (e.g. dusting for fingerprints and creating a mould or fingerprint from it), or finding some way of overriding via a presentation attack – according to the UK’s National Cyber Security Centre (NCSC), presentation attacks at sensor point are the most common type against biometric systems.
The second type is a sensor output interception, or replay attack, where, says the NCSC, “A previously captured sample might be replayed, or a captured biometric sample could be substituted with biometric data of a different individual at enrolment. Intercepted data might be used by an attacker to obtain the biometric characteristics of an enrolled individual for use in future attacks. Built-in security features supporting secure capture and processing of biometric data on a mobile device can be used to mitigate against sensor output interception.”
There are also, of course, the traditional methods such as database infiltration, insider attack and denial of service. All of these can be enhanced by vigilance and penetration testing, but there’s also a new layer of security that is showing promise in research.
Are quantum-enhanced biometric systems the future?
Quantum computing has, of course, been making incredible leaps in recent years, with it being only a matter of time before they’re a part of our daily lives. But in security, there are already plenty of use cases.
Researchers at the University of Athens in Greece have discovered a way to use quantum mechanics to enhance security in personal-identification biometrics. Briefly summarised, there are a variety of attributes and response levels in the human eye that, combined, are referred to by physicists as the alpha map. And it’s this signature, unique to every human, which the research team proposes be used as the next advancement in biometrics.
And here’s the fun bit - quantum physics not only places limits on how an ‘eavesdropper’ could fool the system, but quantum computing also vastly speeds up the process of testing this method. While this method could be the next step in quantum-aided security, it’s still in the research phase.
There are some other interesting developments in the field as well, such as OFFPAD, the brainchild of Norwegian company PONE Biometrics and British firm PQ Shield. Combining tight biometric authentication with post-quantum cryptography, this is one cybersecurity method that only governments can afford at this point.
While OFFPAD is a nice-to-have wish list item, there are several other quantum-secure offerings out there. Infineon Technology and its research partners, for example, have combined their semiconductor knowledge with passport security and QC knowledge to create the world’s first post-quantum biometric passport that’s totally secure against attacks by cyber bullies operating a QC. But this technology is yet again, still at research level.
In the meantime, while all these technologies are still in incubation and testing, cyber criminals are infiltrating our systems, harvesting and storing data. So while QCs may not be at the place where they’re stable enough to crash through your defence systems, getting a really tight, secure system that protects against current and future cyber attacks is a great idea. A fan favourite is Arqit Quantum’s QuantumCloud, which is an – obviously – cloud-based system that can plug into current infrastructure, but with the added bonus of offering encryption that will keep you safe against quantum computers.
While there are enough amazing developments in governments and private enterprises worldwide to keep us all writing for years, we’ll end with saying that cybersecurity professionals should keep an eye – and a fingerprint and even an alpha map – on all of the products and research mentioned here.