Vulnerability in Biometric Authentication
What Is Vulnerability?
Vulnerability generally refers to a security flaw due to a program failure or the like and means a state in which the security of the system is compromised against unauthorized access from the outside.
Security holes are a typical example of the vulnerability.
As a vulnerability in biometric authentication, “spoofing to others” is typical one.
There are some specific attack methods of creating and presenting artifacts of some parts of living human body in some way.
Presentation Attack Detection and Its Limitation
In case of developing biometric authentication products, it is necessary to implement “presentation attack detection” to judge that artifacts as above are not human bodies.
One of the typical technique is using electrical characteristics of human such as skin capacitance, and others are using internal information as well as the surface of a living body, and utilizing the three-dimensional shape of a living body.
Every method can detect a simple spoofing method that presents pictures taken of the living body.
On the other hand, it is not able to detect spoofing by artifacts completely.
Chaos Computer Club (CCC), a famous German hacker group, continually conducts research on the vulnerability of biometrics installed on smartphones in recent years.
CCC succeeded in spoofing Touch ID, fingerprint authentication system on the Apple iPhone 5s in 2013,
and succeeded in spoofing iris authentication on Samsung Galaxy S8 in 2017.
In 2015, CCC also announced their success in replicating fingerprint information from a picture of a thumb taken from three-meter ahead.
There is also a report that it is possible to spoof face authentication on Samsung Galaxy S8 by showing face photographs.
In China, where fingerprint authentication is widely used, techniques for making fingerprint artifacts have also been developed, and some kits for making fingerprint artifacts are on sale.
With the progress of presentation attack detection, the creation of artifacts has become clever as well, and it has been a cat-and-mouse game between development of presentation attack detection and development of artifacts.
Differences of Vulnerability Among Biometric Modalities
The fingerprints, faces, and iris mentioned above are biometric information that can be seen with eyes and relatively easy for others to obtain without permission.
Compared with these information, veins can not be seen with eyes, and can not be taken a picture with normal cameras.
It is difficult for others to obtain vein information.
From the above, vein artifacts are difficult to make for others without the cooperation of the person himself.
As you can see in the example in China, as biometric authentication become more widespread in the future, to spoof biometric authentication, creation of artifacts will become common.
While price and authentication rate are still important factors when introducing biometric authentication, the era of considering vulnerability is just around the corner.
Author of this article
General Manager, Technology Promotion
About the Author
Yutaka Deguchi is a General Manager of mofiria Corporation, Japanese company providing finger vein authentication technology.
Yutaka joined in 2013 from Toshiba corporation where he was responsible for the technology and product development in voice recognition and synthesis, and now is reponsible for the technological development including the management of intelectual property and collaboration with some research institutes.