Multi-Factor Biometrics for Authentication: A False Sense of Security

Multi-factor biometric recently to strengthen systems in addition to authentications have been proposed security and/or privacy of biometric enhancing authentication accuracy. An important approach to multi-factor biometric authentication is to apply User-Based Transformations (UBTs) on biometric features. Typically, UBTs rely on generating user-based transformation keys from a password/PIN or retrieved from a token. One significant advantage of employing UBTs is its ability to achieve zero or near zero Equal Error Rate (EER) i.e. a clear separation of genuine and imposter distributions. However, the effect of compromised transforrmation keys on authentication accuracy has not been tested rigorously. In this paper, we challenge the myth that has been repotted in the literature that in the case of stolen transformation key(s), accuracy drops but remains close to the accuracy of biometric only system. Moreover, we shall show that a multi-factor authentication system setup to operate at a zero EER has a serious security lapse in the event of stolen or compromised keys. In such a scenario, the False Acceptance Rate (FAR) of the system reaches unacceptable levels. We shall demonstrate this by experiments conducted on face and fingerprint biometrics, and show that an imposter with a stolen key needs no more than two attempts on average to be falsely accepted by the biometric system.