Fingerprint authentication is a convenient alternative to passwords and PIN codes. Who would want to waste time typing a long string of numbers, letters and symbols when a simple click is enough?
Unfortunately, you have to pay for this convenience. Because, unlike a normal password, you leave your fingerprint on taxi doors, iPhone screens and glasses of wine at a local restaurant.
To compromise your device or account, we don't even need direct access to your fingerprint. A photo of the surface you touched will do (from the table in the local library to the equipment in the nearest gym).
Having this photo at our disposal, an hour of work in Photoshop gives a decent negative:
In the last step, we add some carpentry glue on top of the fingerprint to animate a fake fingerprint that we can use on the scanner.
The beginning of the attack
With a fingerprint in hand, all we have to do is attach it to the scanner.
We were able to carry out this well-known attack on most of the devices that our team had for testing. If this was a real attack, we would have access to a wide range of confidential information.
The reason for the success of the attack
The main reason for the success of the attack is that almost no fingerprint sensor today knows how to distinguish "alive" from "inanimate".
Methods of recognition of a living person
To increase the reliability of the applied biometric system, the following methods are used:
multimodal (multibiometric) authentication;
determination that you have a living person in front of you (Liveness Detection).
For biometric authentication methods, it is important to determine that it is a living person who is being identified. Developers use the term "Survivability", which is defined in the international standard ISO/IEC 30107-1:2016.
In methods of detecting survivability, physiological or behavioral information or information contained in a biometric sample is used as signs of life.
Fingerprint recognition systems use the following to detect survivability:
measurement of temperature, pulse, electrical resistance;
detection of subcutaneous signs;
comparison of consistently accepted biometric samples, etc.
For other biometric characteristics, survivability detection methods are usually based on the analysis of arbitrary and involuntary behavior. Facial recognition systems may require the user to perform head, lip, eye movements or change facial expressions.
Voice recognition systems may ask the user to pronounce a randomly generated phrase or an alphanumeric sequence to prevent playback of recorded sounds.
However, as it is not difficult to notice, in most laptops (yes, what is there, rather even in all) today, much cheaper fingerprint sensors are used. And even more so in smartphones.
Within the framework of the international subcommittee on Standardization ISO/IEC JTC 1 SC 37 Biometrics, three international standards have been developed for the definition of attacks on biometric presentation: ISO/IEC 30107-1:2016, ISO/IEC 30107-2:2017 and ISO/IEC 30107-3:2017.
Currently, the most widespread among biometric characteristics are the following: fingerprints, facial image, voice, vascular bed of the hand, iris.
Fingerprints account for the largest number of methods of forgery and protection against them. It is from them that this article is about.
Fingerprints. Methods of attack
As a rule, the differences between fake fingerprints are in the materials used to create the dummy. Most often, technical gelatin, clay, plasticine, dental plaster is used. After receiving a sample of the fingerprint of the user who has access to the attacked biometric system, a mold is created into which the fake finger is cast.
Fingerprints. Methods of protection
To determine that it is a live fingerprint that is presented, hardware or software methods are used, as well as their combinations.
multispectral registration is used (fixation of reflected IR radiation — completely different values are obtained from the skin and from synthetic material). Typically used in optical readers;
pulse fixation based on optical or ultrasound method;
measurement of the electrical resistance of the skin.
Software methods involve comparing a scanned fingerprint with the characteristic features of fake samples. For example, too clear or, conversely, too ragged edge of the print, too smooth lines of the papillary pattern, a large number of too light or too dark areas in the scanning area - these are just some of the most common differences between a dummy and a "live" finger.
The software method of fingerprint analysis relies on the individual characteristics and capabilities of specific biometric equipment, as well as on templates and algorithms created and patented by developers.
Protection from attack
As you can understand from the above, a fingerprint should not be considered as a secure alternative to a strong password. As a result, your information — and possibly your crypto assets — are vulnerable to even the most inexperienced attackers.
By now, it should be clear that although your fingerprint is unique to you, it can be used relatively easily. At best, you should consider using it only as secondary authentication (2FA).