When companies or governments seek highly secure access control or authentication technologies, they increasingly turn to biometrics, such as fingerprint or iris recognition systems.
Biometrics are being phased in as a way to enhance passport security, and the Defense Department has announced plans to put biometrics in all access systems by 2010. Overall, use of biometric-based access control systems is estimated to grow 30 percent per year to reach 25 percent of the market by 2014, according to The Freedonia Group, Inc.
But tests conducted on various biometric systems in recent years have shown that they are not as foolproof as once thought. Fingerprint authentication systems could be fooled - or spoofed - for example, by dusting a latent print with graphite powder, placing adhesive film over it, and applying pressure.
"Such research initially demonstrated that despite high matching accuracy, fingerprint systems could be fooled using cheap, easily accessible materials," explained consultant Ross Mitchell of International Biometric Group (IBG) in a recent Webcast.
Mitchell noted that biometrics companies responded with more advanced 'liveness detecting' techniques, such as moisture detection, pulse detection, wavelet analysis of skin surface coarseness, and subsurface print detection.
That has raised the bar, but systems are still spoofable. Wetting a spoofed fingerprint to simulate a person's sweat can fool moisture detectors, and putting a thin spoof over a real finger can fool pulse detectors, for example.
Subsurface print detection is among the most effective countermeasures, said Mitchell, but the technology has yet to be perfected. Consequently, the best defense is to use multimodal or multifactor authentication. In less technical terms: Never put all your detection eggs in one technology basket - or as is always the case in any type of security, have a layered defense.
There are many types of fingerprint systems, including ultrasonic, multispectral, thermal, silicon, and optical. Most systems today are of the latter two types. Silicon sensors measure the capacitance between the skin and sensor pixel. Optical sensors take a picture of the fingerprint by reflecting a light source onto a camera, which records an image, which is then extracted to an algorithm.
"IBG has found that optical fingerprint sensors are particularly susceptible to spoofing," said Mitchell. "Any spoof that contains a realistic fingerprint image and is able to trigger the sensor mechanism will have a high chance of penetrating the system," he said. Other types of systems can also be spoofed, said Mitchell, but they require more knowledge of biometrics generally and of the specific system being attacked.
Iris recognition systems have been spoofed with high-resolution photographs with an eyehole cut for the pupil and custom contact lenses with high-resolution iris patterns printed on them. Iris recognition systems are generally less spoofable, said Mitchell, but there's a tradeoff in terms of cost and convenience.
IBG plans to conduct what it calls "the industry's first structured evaluation of biometric systems - resistance to spoofing." The first round will focus on fingerprint and iris-recognition systems, with subsequent evaluations looking into other types of biometric systems.
They will be testing spoofs that are commonly considered viable spoofs, Mitchell told Security Management in a follow-up interview. In addition, they will invent some spoofs for the test. Those details will be kept secret among the test sponsors and vendor participants. General results will be made public, but details will be available only to those who purchase the report.
Vendors will not pay to participate. The testing is being funded by the Financial Services Technology Consortium, whose members include end-user organizations, technology providers, and representatives from academia and government. Results, says Mitchell, will allow vendors to pinpoint strengths and weaknesses and to establish competitive differentiation of their products. The test is not being structured as a pass/fail, says Mitchell, but vendors will be able to cite results in marketing materials.
It's hard to argue with the general concept of testing, which can be an impetus for improvements, but SANS Institute Director of Research Alan Paller worries about the use of results in marketing. The problem is that "the methods available to compromise a security feature generally are greater than the ones that the testers do," says Paller. The vendor marketing generally will "mislead you badly, because the sellers grab on to any one of these tests and paint them as if they are the gold standard."
To avoid misleading buyers, he says, "It would be better not to publish results - [but instead just] find the problems and fix them."
When results are published, potential buyers should, of course, look beyond the hype and make sure they understand exactly what has been tested and what passing that test really means. Then the results can be weighed accordingly in the purchasing decision.
By Sherry Harowitz, editor-in-chief, Security Management magazine.