It’s a classic, if gruesome, staple of Hollywood action movies. The villain, desperate to gain access to the secret government vault, tricks the biometric security system by opening the door with the severed finger — or dangling eyeball — of the security guard.
In the real world, fake fingerprints and other forms of biometric spoofing pose serious challenges to the security community. Just this week, a team of Japanese researchers proved how easy it is to copy someone’s fingerprints from a “peace” sign selfie. A few years back, a hacker scanned the fingerprints of the German defense minister using a publically available press photo. The same hacker once fashioned a fake thumb out of wood glue to fool Apple’s Touch ID sensor.
But before you toss your new iPhone out the window or put on gloves every time you take a selfie, you might want to hear about a new technology that can tell if a biometric image like a fingerprint or an iris scan is really “alive.”
Matthew Valenti is the West Virginia University site director for the Center for Identification Technology Research, a multi-institution collaboration that has developed and patented anti-spoofing technology based on something called liveness detection.
“There are subtle features that are only present in a living person,” Valenti told Seeker. “Your fingers, for example, have tiny pores in them, and the signal processing algorithms used to scan your fingerprint can look for the presence of sweat in your pores. A spoof wouldn’t have that.”
Valenti’s colleague Stephanie Schuckers at Clarkson University is a pioneering researcher in liveness detection. She has tested her perspiration algorithms against fake fingers made out of wax and Play-Doh, and also a few dozen cadaver fingers from the morgue. Schuckers’ algorithms are the core technology behind NexID Biometrics, a private company claiming that its software can spot a fake fingerprint with 94 percent to 98 percent accuracy.
Still, liveness detection is so new that you won’t even find it on the latest biometric gadgets like the new MacBook Pro. So should we be concerned that hackers and identity thieves are scouring Instagram looking for fingerprints to steal?
“With the progression of technology, and the increased resolution of cameras, it’s become easier than ever to get someone’s fingerprints from a picture,” said Valenti. “But just because you obtain someone’s fingerprints, that doesn’t mean you can use them to gain access to a biometrically protected system.”
In the case of smartphones, not only would you need to steal the fingerprints, but you would need to steal the actual device. And for systems requiring the highest security, like government and military facilities, the standard industry practice is to combine biometrics with other security factors.
“First, there’s a secret that you possess, like a password,” said Valenti. “Then a token that you possess, like a physical or digital key. And then something that you are, which is your biometrics.”
So much for the plan to steal the president’s pinkie and break into Fort Knox.