Biometric authentication risks: beyond fingerprints and selfies¶

Course description:

This practical course explores the hidden vulnerabilities in biometric systems—from facial recognition spoofing to fingerprint replication. Developers will learn attack methods, multi-factor backup strategies, and real-world mitigation techniques through hands-on demos, roleplay, and team challenges. Designed to be engaging, not intimidating, with no tests or pressure—just collaborative learning.

This course description is open source. Feel free to use it.

Course outline¶

Duration: 1 day (6 hours, including breaks)

Format: In-person or virtual (adaptable for both)

Audience: Developers, security engineers, and product teams implementing biometric auth.

Timetable¶

Session 1: biometrics unpacked (60 mins)

• How biometric authentication really works (technical but accessible).

• Real-world failures: masked faces fooling recognition, gummy fingerprints, deepfake bypasses.

• Activity: “guess the flaw” – match attack types to famous breaches (e.g., android face unlock spoofs).

Session 2: hands-on hacking (90 mins)

• Demo: bypassing phone face recognition with photos/masks (ethical, controlled environment).

• Tools: intro to presentation attack tools (e.g., silicone fingerprints, infrared photos for liveness checks).

• Countermeasures: liveness detection, 3D mapping, and hardware security modules.

Break (15 mins)

Session 3: designing resilient systems (90 mins)

• Why biometrics should never stand alone: multifactor backups (tokens, behavioural analytics).

• Roleplay: “the biometric breach” – teams argue for/against replacing passwords in a mock product meeting.

• Case study: when biometric databases leak (e.g., india’s aadhaar data exposure).

Lunch (30 mins)

Session 4: red team vs. blue team (120 mins, optional)

• Based on the 2019 samsung galaxy s10 ultrasonic fingerprint spoof.

• Red team: crafts attacks using everyday materials (e.g., glue, graphite).

• Blue team: implements detection rules or fallback auth protocols.

• Debrief: creative attack vectors and defence trade-offs.

Session 5: future-proofing auth (45 mins)

• Emerging tech: gait analysis, vein patterns, and their risks.

• Quiz: “spot the weak link” – evaluate real product biometric implementations.

• Q&A and “biometric myth-busting” wrap-up.

Certificates: Awarded to all participants (no scoring).

Resources required¶

• Demo kits: phone with face unlock, silicone fingerprint moulds (ethical use only).

• Pre-recorded spoofing examples (e.g., deepfake video bypassing liveness checks).

• Leaked biometric dataset examples (anonymised, for educational discussion).

• Roleplay cards for product meeting scenario.

• Quiz slides with real product screenshots.

Key activities explained¶

1. “Guess the flaw” matching game

   • Teams pair famous biometric failures (e.g., cnn’s 3d-printed hand tricking vein scanners) with their root causes.

2. Roleplay: the biometric breach

   • A “startup ceo” (played by facilitator) insists on going passwordless. Teams debate risks using real breach data.

3. Red team vs. blue team exercise

   • Scenario: A banking app uses fingerprint auth. Red team must bypass it using household items; blue team deploys rate-limiting or secondary auth.

Takeaways¶

• A “biometric risk checklist” for product development.

• Hands-on experience with spoofing tools (ethically).

• Understanding of when biometrics enhance—or weaken—security.

• Completion certificate.

Notes for facilitators¶

• Stress ethical boundaries: all attacks are demonstrated, not replicated.

• For virtual sessions, use pre-recorded spoof demos and breakout rooms for roleplay.

• Encourage absurd ideas in red teaming (e.g., “could a wax nose fool thermal scans?”).

This course turns biometric risks from theoretical worries into tangible, fixable challenges—while keeping laughter in the room.