Fake Body Parts Still Fool Biometric Scanners

To avoid getting duped by a fake gummy finger, "spoof-proof" biometric IDs are now measuring "liveness."

|
Mar 18 2014, 6:45pm
Image: Apple

Passwords are in their twilight years, and it's looking more likely all the time that biometric IDs are the next generation of authentication, especially since the iPhone 5s touch ID helped popularize the idea. Next up are mobile payments via fingerprint or facial recognition and bio-activated smart home locks, and so a society where you can unlock your front door and take money out of the bank with your eyeballs isn't too far off.

Which is all to say that, dull as it may sound at the moment, it's probably a good idea to start thinking about biometric security.

It's no secret that biometric passwords aren't foolproof. They may be more secure than a six-digit password, particularly when most people still opt for dubious combos like "123456," but they can still be spoofed. We've seen fingerprint scanners fooled by artificial fingers made of Silly Putty, Play-Doh, plastic, clay, silicone, and gelatin. And fraudsters have used reverse-engineered images of an iris and realistic face masks to get past facial recognition tech. 

So in October, the EU and US invested some $8 million into a research project to study the weaknesses in biometric technologies and develop countermeasures for these kinds of spoofs. The project, called Tabula Rasa, meaning "blank slate," published a video and report on their progress today.

This video is in French but still interesting to watch.

The researchers are trying to win the cat-and-mouse game going on between fraudsters and security experts, by proactively solving for hacks before they happen. It's led to innovations in "spoof-proof" biometric ID software that measure "liveness" as well as pattern or image recognition. In other words, it checks for how lifelike is the biological key being scanned.

Take fingerprints for example. It's not very hard for a criminal to scan a fingerprint left on a surface somewhere, or even more clever, pull the digital file of the print stored in a biometric scanning system's archives, and reproduce it with, say, a 3D printer and some basic store-bought materials. (Not to mention it's pretty easy to find these prints—your iPhone's glass screen is full of them.)

So next-gen fingerprint scanners are being developed to measure texture and material to spot artificial impostor digits that aren't real human skin.

Same story with facial recognition. Masks or photos and video can fool basic systems, and iris scanners take the resulting snapshot of the eyeball and store it as code, a series of 1s and 0s that can be reverse-engineered to recreate the image and fool the stems. So new security systems are also including movement—requiring someone to blink before ID'ing them,  or analyzing skin texture.

Other solutions that combine multiple biometric markers—iris scanning, fingerprints, and facial recognition together—are launching for large-scale, high-speed authentication applications like, say, nationwide voter registration. Other are tracking more complex biometric measurements like a person's gate, vein identification, or electro-physiological signals like heartbeats.

There's no one more excited than me for the age of passwords to be over, but biometrics aren't a panacea for privacy and security. The stakes are also higher: If someone guesses your passcode or steals your house key, you can change your combination or replace the locks. But once someone swipes and replicates your fingerprint you're pretty much shit out of luck. So we better make it real hard to do that.