Evaluasi Keamanan Sistem Autentikasi Biometrik pada Smartphone dan Rekomendasi Implementasi Optimal
Abstract
Biometric authentication on smartphones is a modern solution for more practical and secure login security. This technology offers advantages such as speed of access and resistance to forgery compared to password-based methods. However, there are various weaknesses, such as the potential for exploitation through malware, spoofing, or brute force attacks that exploit security holes, such as Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). Additionally, hacked biometric data cannot be replaced, leaving users vulnerable to long-term security threats. To overcome these weaknesses, this article recommends a security approach based on Trusted Execution Environment (TEE), AES-256 encryption, spoofing detection based on liveness recognition, anti-tamper mechanisms, and the application of rate limiting. The secure authentication flow implementation is designed to protect biometric data locally without transmission to external servers, ensuring user integrity and privacy is maintained. This flow includes suspicious activity detection, login encryption, and data protection with advanced encryption. Through a combination of these technologies, the biometric authentication system is characterized as being able to significantly maximize security by minimizing the risk of attacks on user data. This research provides evaluation results that the DNN deep neural network model trained with AES-256 is characterized as being able to produce accuracy above 99.9% with less than 5,000 power traces. Then, the implementation of liveness detection is characterized as being able to produce an F1-Score of 97.78% and an HTER of 8.47% in the intra-dataset scenario, as well as an F1-Score of 74.77% and an HTER of 29.05% in the cross-dataset scenario. This combination of technologies provides secure and efficient biometric authentication without compromising user comfort.
Downloads
References
X. Zhang, D. Cheng, P. Jia, Y. Dai, and X. Xu, “An Efficient Android-Based Multimodal Biometric Authentication System with Face and Voice,” IEEE Access, vol. 8, pp. 102757–102772, 2020, doi: 10.1109/ACCESS.2020.2999115.
B. L. Ortiz, J. W. Chong, V. Gupta, M. Shoushan, K. Jung, and T. Dallas, “A Biometric Authentication Technique Using Smartphone Fingertip Photoplethysmography Signals,” IEEE Sens. J., vol. 22, no. 14, pp. 14237–14249, 2022, doi: 10.1109/JSEN.2022.3176248.
Z. A. Zukarnain, A. Muneer, and M. K. Ab Aziz, “Authentication Securing Methods for Mobile Identity: Issues, Solutions and Challenges,” Symmetry (Basel)., vol. 14, no. 821, pp. 1–17, 2022, doi: 10.3390/sym14040821.
Z. Shen, S. Li, X. Zhao, and J. Zou, “IncreAuth: Incremental-Learning-Based Behavioral Biometric Authentication on Smartphones,” IEEE Internet Things J., vol. 11, no. 1, pp. 1589–1603, 2024, doi: 10.1109/JIOT.2023.3289935.
O. Silasai and W. Khowfa, “The Study on Using Biometric Authentication on Mobile Device,” Int. J. Sci., vol. 17, no. 1, pp. 90–110, 2020, [Online]. Available: https://www.sci.nu.ac.th/sciencejournal/index.php/sci/article/view/ID457 .
S. A. Lone and A. H. Mir, “Smartphone-based Biometric Authentication Scheme for Access Control Management in Client-server Environment,” Int. J. Inf. Technol. Comput. Sci., vol. 14, no. 4, pp. 34–47, 2022, doi: 10.5815/ijitcs.2022.04.04.
N. Nurazela and T. Wibowo, “PERANCANGAN DAN IMPLEMENTASI ABSENSI KARYAWAN BERBASIS BIOMETRIC PADA PT. BANGUN SEJAHTERA ABADIJAYA,” Conf. Business, Soc. …, vol. 1, no. 1, pp. 329–335, 2020, [Online]. Available: https://ojs.digitalartisan.co.id/index.php/cbssit/article/view/1433.
N. Mamuriyah, S. E. Prasetyo, and A. O. Sijabat, “Rancangan Sistem Keamanan Jaringan dari serangan DDoS Menggunakan Metode Pengujian Penetrasi,” J. Teknol. Dan Sist. Inf. Bisnis, vol. 6, no. 1, pp. 162–167, 2024, doi: 10.47233/jteksis.v6i1.1124.
V. Kumar, A. M. Ali Al-Tameemi, A. Kumari, M. Ahmad, M. W. Falah, and A. A. Abd El-Latif, “PSEBVC: Provably Secure ECC and Biometric Based Authentication Framework Using Smartphone for Vehicular Cloud Environment,” IEEE Access, vol. 10, pp. 84776–84789, 2022, doi: 10.1109/ACCESS.2022.3195807.
J. Lee, S. Park, Y. G. Kim, E. K. Lee, and J. Jo, “Advanced authentication method by geometric data analysis based on user behavior and biometrics for iot device with touchscreen,” Electron., vol. 10, no. 21, p. 2583, 2021, doi: 10.3390/electronics10212583.
R. Alrawili, A. A. S. AlQahtani, and M. K. Khan, “Comprehensive survey: Biometric user authentication application, evaluation, and discussion,” Comput. Electr. Eng., vol. 119, no. 3, p. 109485, 2024, doi: 10.1016/j.compeleceng.2024.109485.
T. Yudha, “Punya Celah, Sistem Keamanan Fingerprint Ternyata Masih Bisa Dibobol,” https://tekno.sindonews.com/, 2023. https://tekno.sindonews.com/read/1106543/122/punya-celah-sistem-keamanan-fingerprint-ternyata-masih-bisa-dibobol-1684847153.
J. Mason, R. Dave, P. Chatterjee, I. Graham-Allen, A. Esterline, and K. Roy, “An Investigation of Biometric Authentication in the Healthcare Environment,” Array, vol. 8, p. 100042, 2020, doi: 10.1016/j.array.2020.100042.
S. Alwahaishi and J. Zdralek, “Biometric Authentication Security: An Overview,” in Proceedings - 2020 IEEE International Conference on Cloud Computing in Emerging Markets, CCEM 2020, 2020, pp. 87–91, doi: 10.1109/CCEM50674.2020.00027.
Y. Chen and Y. He, “BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack,” ArXiv, vol. abs/2305.1, pp. 1–15, 2023, doi: 10.48550/arXiv.2305.10791.
Sun, Ruimin, et al. "A praise for defensive programming: Leveraging uncertainty for effective malware mitigation." IEEE Transactions on Dependable and Secure Computing vol 19(1), 2020, pp 353-369. doi: 10.1109/TDSC.2020.2986112
T. Geppert, S. Deml, D. Sturzenegger, and N. Ebert, “Trusted Execution Environments: Applications and Organizational Challenges,” Front. Comput. Sci., vol. 4, pp. 1–6, 2022, doi: 10.3389/fcomp.2022.930741.
M. Marcel Busch and T. Westphal, Johannes Mueller, “Unearthing the TrustedCore: A Critical Review on Huawei’s Trusted Execution Environment,” in 14th USENIX Workshop on Offensive Technologies (WOOT 20), 2002.
D. Das, J. Danial, A. Golder, S. Ghosh, A. Raychowdhury, and S. Sen, “Deep Learning Side-Channel Attack Resilient AES-256 using Current Domain Signature Attenuation in 65nm CMOS,” in Proceedings of the Custom Integrated Circuits Conference, 2020, pp. 1–4, doi: 10.1109/CICC48029.2020.9075889.
E. S. Marsiani, I. Setiadi, and A. Cahyo, “Implementasi Sistem Keamanan AES 256-Bit GCM Guna Mengamankan Data Pribadi,” JRKT (Jurnal Rekayasa Komputasi Ter., vol. 1, no. 2, 2021, pp. 108–114, doi: 10.30998/jrkt.v1i02.4096.
A. J. Jacob and I. T. Samuel, “Development of mechanism for meter tamper detections and counter measures,” J. Multidiscip. Eng. Sci. Technol., vol. 7, no. 7, pp. 13641–13652, 2020, [Online]. Available: https://www.jmest.org/wp-content/uploads/JMESTN42353763.pdf.
F. Sthevanie, A. Dwi, Y. #2, K. Nur, and R. #3, “Deteksi Spoofing Wajah Manusia Berbasis Video menggunakan Metode Local Derivative Pattern-Three Orthogonal Planes,” Ind. J. Comput., vol. 5, no. 1, pp. 53–62, 2020, doi: 10.21108/indojc.2020.5.1.376.
Markert, Philipp, et al. "On the security of smartphone unlock pins." ACM Transactions on Privacy and Security (TOPS) vol 24(4), 2021, pp 1-36, doi: 10.1145/3473040
Wang, Chen, et al. "User authentication on mobile devices: Approaches, threats and trends." Computer Networks 170, 2020, doi: 10.1016/j.comnet.2020.107118
Markert, Philipp, et al. "This pin can be easily guessed: Analyzing the security of smartphone unlock pins." 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020. doi: 10.1109/SP40000.2020.00100
Li, Zengpeng, Ding Wang, and Eduardo Morais. "Quantum-safe round-optimal password authentication for mobile de-vices." IEEE transactions on dependable and secure computing vol 19(3), 2020, pp 1885-1899, doi: 10.1109/TDSC.2020.3040776
Arora, Shefali, and MP S. Bhatia. "Fingerprint spoofing detection to improve customer security in mobile financial ap-plications using deep learning." Arabian journal for science and engineering vol 45(4), 2020, pp 2847-2863. https://link.springer.com/article/10.1007/s13369-019-04190-1
Sudeep, Sista Venkata Naga Veerabhadra Sai, et al. "An overview of biometrics and face spoofing detection." ICCCE 2020: Proceedings of the 3rd International Conference on Communications and Cyber Physical Engineering. Springer Singapore, 2021. doi: 10.1007/978-981-15-7961-5_82
Kumar, Sandeep, et al. "Face spoofing, age, gender and facial expression recognition using advance neural network ar-chitecture-based biometric system." Sensors vol 22(14), 2022. doi: 10.3390/s22145160
Bodepudi, Anusha, and Manjunath Reddy. "Spoofing attacks and mitigation strategies in biometrics-as-a-service systems." Eigenpub Review of Science and Technology vol 4(1), 2020, pp 1-14. https://studies.eigenpub.com/index.php/erst/article/view/10
Ebihara, Akinori F., Kazuyuki Sakurai, and Hitoshi Imaoka. "Efficient face spoofing detection with flash." IEEE Transac-tions on Biometrics, Behavior, and Identity Science vol 3(4), 2021, pp 535-549. doi: 10.1109/TBIOM.2021.3076816
.Anthony, Peter, Betul Ay, and Galip Aydin. "A review of face anti-spoofing methods for face recognition systems." 2021 International Conference on INnovations in Intelligent SysTems and Applications (INISTA). IEEE, 2021. 10.1109/INISTA52262.2021.9548404
Shibel, Ahmed Muthanna, et al. "Deep learning detection of facial biometric presentation attack." Life-Sciences 8.2 (2022): 01-18. doi: 10.20319/lijhls.2022.82.0118
Marutotamtama, Jane Chrestella, and Iwan Setyawan. "Face Recognition and Face Spoofing Detector for Attendance System." 2022 5th International Seminar on Research of Information Technology and Intelligent Systems (ISRITI). IEEE, 2022. 10.1109/ISRITI56927.2022.10052985
Kim, Seung-Hyun, Su-Min Jeon, and Eui Chul Lee. "Face biometric spoof detection method using a remote photople-thysmography signal." Sensors vol 22(8), 2022. doi: 10.3390/s22083070
Ebihara, Akinori F., Kazuyuki Sakurai, and Hitoshi Imaoka. "Efficient face spoofing detection with flash." IEEE Transac-tions on Biometrics, Behavior, and Identity Science vol 3(4), 2021 535-549. doi: 10.1109/TBIOM.2021.3076816
Kaur, Harkeerat, and Pritee Khanna. "Privacy preserving remote multi-server biometric authentication using cancelable biometrics and secret sharing." Future Generation Computer Systems vol 102, 2020, 30-41. doi: 10.1016/j.future.2019.07.023
Huszár, Viktor Dénes, and Vamsi Kiran Adhikarla. "Live spoofing detection for automatic human activity recognition applications." Sensors vol 21(21), 2021. doi: 10.3390/s21217339
Xu, Xiang, et al. "Principles of Designing Robust Remote Face Anti-Spoofing Systems." arXiv preprint arXiv:2406.03684, 2024. doi: 10.48550/arXiv.2406.03684
Lalouani, Wassila, Yi Dang, and Mohamed Younis. "Mitigating voltage fingerprint spoofing attacks on the controller area network bus." Cluster Computing vol 26(2), 2023, pp 1447-1460. https://link.springer.com/article/10.1007/s10586-022-03821-x
Copyright (c) 2025 Felix Yeovandi, Sabariman Sabariman, Stefanus Eko Prasetyo
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
