The International Biometric Group is a consulting and technology services firm. Since 1996, IBG has provided technology-neutral and vendor-independent biometrics services, strategy and solutions to financial institutions, integrators, government agencies and high-tech firms. This is one of the Group’s White Papers.
Introduction
It is a common belief that most biometric systems are capable of detecting liveness in biometric samples. Liveness detection in a biometric system ensures that only 'real' fingerprints, facial images, irises and other characteristics are capable of generating templates for enrolment, verification and identification. From a security and accountability perspective, requiring a live biometric characteristic makes it difficult for an individual to repudiate that he or she executed a transaction, accessed a secure facility, or applied for a benefit.
Recent academic and media tests, however, show that with negligible-to-modest effort many leading biometric technologies are susceptible to attacks in which fake fingerprints, static facial images, and static iris images can be used successfully as biometric samples. These fraudulent samples are processed by the biometric system to generate templates and to verify enrolled individuals. Methods of attack include fashioning fingerprints from gelatin, superimposing iris images atop human eyes, even breathing on a fingerprint sensor. In the words of CT magazine, responsible for executing a handful of these successful attacks: "...the products in the versions made available to us were more of the nature of toys than of serious security measures."
The implications of this demonstrable susceptibility to 'spoofing' - defeating a biometric system through fake biometric samples - include the following:
* 'Fake finger' attacks may be mounted against existing enrolments in order to gain access to a protected facility, computer, or other resource.
* A 'fake finger' may be used for authentication at a given computer, doorway, or border crossing in order to fraudulently associate an audit trail with an unwitting individual.
* A 'fake finger' may be used to enrol in a biometric system and then be shared across multiple individuals, thereby undermining the entire system.
* An individual may repudiate transactions associated with his account or enrolment - claiming instead that they are the result of attacks - due to the inability of the biometric system to ensure liveness.
Given biometrics' burgeoning acceptance as a solution for a range of public and private sector applications such as civil identification, network security, border control, and point of sale authentication, the question of liveness detection in leading biometric technologies must be addressed. If biometric systems can be fooled by the act of breathing - as CT magazine demonstrated when its investigators where able to reactivate a latent fingerprint by breathing on a sensor - is it still correct to view them as security solutions?
The publicity given to these spoofing tests suggests that liveness detection represents a major problem for the biometric industry. However, the issue of liveness detection - in addition to the problems it poses for certain biometric applications - is symptomatic of larger, more pressing problems in biometrics.
Conceptual impediments to liveness detection
The concept of liveness detection can be framed by considering detection of liveness versus detection of non-liveness. Biometric systems are comprised of acquisition elements and processing elements. Acquisition elements record, image, or otherwise capture raw data: fingerprints, facial images, photographs, etc. Processing elements scan this raw data for distinctive or identifiable characteristics. Liveness detection may take place at the acquisition stage, such that non-live data is not acquired, or at the processing stage, such that non-live data is not processed. If one places an eraser on an optical fingerprint sensor, an image appears but no feature extraction takes place: the detection is at the processing stage. In most silicon systems, the same eraser would not produce an image, such that detection would take place at the acquisition stage.
The question at this point is whether liveness or non-liveness is being detected. In theory, liveness detection is based on the determination that one or more qualities of a biometric sample are consistent with the qualities associated with live biometric samples. The biometric system is designed and built to process data within a certain set of parameters and to not process data that falls outside of these parameters.
The decision process within a biometric system, therefore, more closely resembles:
if data = live, perform acquisition and extraction than it does if data = not live, do not perform acquisition and extraction.
In other words, biometric systems are more attuned to detecting liveness than to detecting non-liveness. The implication is that individuals looking to generate a fake biometric sample have the simpler task of emulating characteristics of a live sample than circumventing 'non-liveness' detection methods. The material or data used to spoof the system may have a number of non-live characteristics, but so long as it can replicate the feature set which represents liveness, it can defeat the system.
Putting liveness detection in perspective
Although efforts to develop effective liveness detection capabilities will help narrow what is currently a wide gap in biometric system capabilities, it must be assumed - at all stages of biometric system design, implementation, and operation - that any liveness detection methods can and will be defeated. More time or effort may be required to defeat liveness detection methods than in breathing on a scanner, but manufacturers, deployers, and end users must assume that a biometric system can and will be spoofed. So long as a system, within a reasonable operating environment, can be defeated by a spoofed sample, biometric system design and deployment decisions must be shaped accordingly. If one makes the design assumption that a biometric device can never be spoofed, once it is spoofed the system may be dramatically weakened.
Fortunately, the biometric industry does not stand or fall according to the technology's ability to detect liveness: the liveness problem applies only to a subset of biometric applications and operating environments, as is discussed below. Even without liveness detection, biometrics provide unique and essential functionality in a range of applications. The core problem is that the efforts of external parties - as opposed to the industry itself - were required to expose this weakness, and that serious questions must now be posed regarding more essential system functions and capabilities. If third parties are relied upon to discover other weaknesses in biometric systems, the implications for the biometric industry could be severe. For example, demonstration of the ability to reverse engineer images from templates or the ability to track templates across diverse biometric systems - neither of which have been shown to be possible - could undermine biometrics in a number of applications.
Liveness detection as a reflection of broader biometric industry issues
The discussion around liveness detection reflects on three ingrained tendencies in the biometric industry that must be addressed in order for the biometrics to reach its full potential:
* Emphasis on proprietary functionality.
* Unrealistic performance claims.
* Reluctance to place biometric technology in the context of real-world applications.
Issue 1: Emphasis on proprietary functionality
It is irrefutable that the efforts of today's biometric vendors have advanced the technology tremendously over the past several years. The industry has done a similarly admirable job of standardising critical elements such as APIs, data formats and imaging specifications. However, with the exception of fingerprint-based systems for law enforcement and civil identification, biometric systems have not been held to rigorous performance, design or implementation standards. In order for biometrics to be deployed as widely as is anticipated in network security, physical access and other transactional verification applications, the technology and its core operations must be held up to rigorous inspection and not treated as a black box.
The methods by which most vendors claim to detect liveness have generally been held proprietary, and typically include comparison of sequentially acquired biometric samples, temperature detection, penetrating surface layers of skin, or other algorithm-based methods. When probed, most vendors fall back on the need to retain a competitive advantage in holding secret their liveness detection methods.
The liveness detection controversy makes clear that the biometric industry's reliance on proprietary, closed design - whether in liveness detection, matching algorithms, template generation or feature extraction - is unlikely to be a long-term solution for building secure, reliable and effective systems. Security and cryptography experts have long called into question the viability of the biometric industry's closed approach to system design and its unwillingness to make available for review the proprietary methods and technologies that perform critical functions. In most cryptographic systems, by comparison, the methods of operation are well known; compromise of a key does not collapse the whole infrastructure, but instead triggers revocation and re-issuance processes that reinforce system integrity.
The biometric industry will benefit from its proprietary design approaches being laid open for inspection, analysis, criticism and improvement. This represents a fundamental shift away from the manner in which the industry operates: nearly the entirety of the biometric industry is at some point reliant on one or more secret whose exposure could compromise the technology's operation. The proprietary and secret nature of liveness detection and the unwillingness to have such methods held up for third-party inspection, analysis and improvement, masked what seems to have been a nearly non- existent capability.
Issue 2: Unrealistic performance claims
Perhaps the most unfortunate aspect of the liveness issue is not that biometric systems can be defeated but that claims to liveness detection seem to have been greatly overstated if not completely misleading. Whether fairly or not, this calls into question the credibility of other commonly held biometric truths: that images cannot be recreated from templates, that matching algorithms are capable of extremely high levels of accuracy, and that a hacked biometric database cannot be used for privacy-invasive purposes.
It is inevitable that companies, in an effort to differentiate their technology in a crowded market and with skeptical customer bases, will emphasise the conceptual strengths of a core technology. However, vendor claims of error rates in the range of one or two per million transactions can pose major risks and lead to extreme disillusionment on the part of deployers when errors do occur. It should be emphasised that the industry has improved substantially in this area, and that discussion of biometric accuracy and performance is much more realistic than was the case in the industry's infancy. However, the lack of realistic, independent or relevant substantiation regarding performance claims represents a larger problem in the biometric industry than does liveness detection.
Far from providing irrefutable authentication - as has occasionally been the claim of some biometric advocates - biometric systems provide (in most circumstances) a high but not absolute degree of identity certainty. Whether due to spoof attacks or false matches and non-matches, a biometric decision cannot be taken in and of itself as unassailable proof that an individual executed a transaction or entered a facility. Biometric systems err with some regularity, depending on how they are configured: this reality can either be discovered by end users in an operational environment, or can be recognised by the biometric industry as an issue, communicated to deployers and end-users, and mitigated through careful system design.
A major implication of susceptibility to spoof attacks, as well as to matching errors, is that biometric system decisions cannot be taken as absolutely definitive verification or identification statements. Biometric match results may need to be weighed with other factors to enable decisions about access, accountability, and identity. In law enforcement and civil ID systems, biometric searches rely on human operators to execute final match - no match decisions; the automated component is designed to simplify, not eliminate, the human decision process. By contrast, biometric systems used for network access, physical access or other transactional functions rely on template matching, a completely automated function - rarely is a human present to confirm the system's decision. Automated biometric matching is too new a discipline to have legal weight or to have objective, actionable levels of certainty associated with match decisions. In particular, as biometric systems are being proposed for such highly sensitive applications as passport bearer authentication and air travel, the decisions resulting from biometric matches may have severe consequences.
The positioning of biometrics as an unassailable identification technology has always been incorrect - the susceptibility to spoofing merely draws another set of factors into play when executing biometric decisions.
Issue 3: Reluctance to place biometric technology in the context of real-world applications
Evaluating biometric technology requires an understanding of the application in which the technology is deployed. Liveness detection, for example, is critical in some biometric applications, less relevant in others. At one extreme are facial-scan systems designed for 1:N duplicate detection in drivers' licence issuance. In these applications, individuals are enrolled and identified though static digital images; liveness detection is at odds with the system's basic operations. At another extreme are e-commerce implementations in which enrollment and verification are likely to be unsupervised and sanctions for misuse difficult to enforce.
In biometric applications in which supervision is present when individuals are submitting biometric data - as is typically the case in benefits issuance and large-scale identification - the likelihood of an individual spoofing the system is substantially reduced. It will generally be evident if an individual is producing a fake finger or utilising a photograph for enrollment or during subsequent updates.
Similarly, in most biometric systems, enrolment is a supervised event, being the point at which identity within the biometric system is established and at which high-quality biometric data must be acquired for ongoing use. This applies to enterprise biometric applications such as logical access to networks and physical access to controlled areas. When enrolment is supervised, the likelihood of an individual enrolling a sharable token as opposed to a biometric sample is substantially reduced. Therefore the inability to detect liveness may result in a latent fingerprint being used to gain fraudulent verification, but is unlikely to involve verification through a shared enrolment token.
In certain biometric applications, primarily high-value or high-risk applications in which enrolment and verification are unsupervised, susceptibility to spoof attacks can be highly problematic. End users may be less willing to enroll in a system in which their account may be susceptible to attacks; deployers may be less willing to risk implementing a system whose authentication capabilities cannot be fully relied upon for decision-making. In these applications, there may be little or no ability to apply a sanction for system misuse, such that individuals are not dissuaded from attempting spoof attacks. Resolving this problem may require a fundamental rethinking of how enrolment and verification take place in remote, unattended biometric systems; at the very least the risk assessment used to determine whether biometrics are an effective solution must be rethought. A mitigating factor is that the use of biometrics in unattended enrolment and verification applications and in a non-sanctioned environment is still very rare. The industry will need to devise protections which limit the impact of the liveness problem before this type of application becomes commonplace.
The importance of liveness detection can also vary according to the purpose for which the system is deployed. If an individual is motivated to avoid detection or establish multiple identities - as would be the case during enrolment in a 1:N system for benefits issuance - then enrolling through fake fingerprints may allow an individual to create multiple identities within a system. However, If the individual is motivated to be verified successfully in the system, as would be the case in subsequent verification against one's existing enrolment, liveness is less of an issue: the primary motivation is to match his enrolment, not to subvert the system.
Design elements to limit impact of spoofing
System design decisions may be driven by a need to reduce susceptibility to spoof attacks. While design decisions are based on the specific needs of a biometric application, one can imagine utilisation of the following protections:
* Randomisation of verification data. If users are asked to enrol more than one biometric sample - for example, three fingerprints or two distinct voice patterns - the system may randomise the biometric data it requests for verification, thereby slightly reducing the likelihood of spoofed data being usable for verification. Such a system may also require two fingerprints for verification, such that an imposter would have to locate two 'target' fingerprints with which to defeat the system.
* Retention of identifiable data. In most transactional biometric systems, identifiable data is destroyed immediately after template generation. Retaining image data, though posing substantial privacy and storage challenges, may provide a means of resolving spoof claims. In many cases spoofed biometric data will be evident upon inspection of the actual sample (inspecting the template, of course, would be useless). Retention of this data strengthens a system's audit trail and forces impostors to create data that looks like a biometric sample to the naked eye as well as to an extraction algorithm.
* Using multiple biometrics. Multiple biometric authentication is often proposed as a means of solving the liveness problem, as it is clearly much more difficult to spoof two biometrics in tandem or in sequence than to spoof one. However, implementing multiple biometrics is currently much more difficult than it seems. Process flows for verification are generally not compatible with the provision of more than one biometric characteristic, due to environmental, cost, or equipment limitations. In certain environments, multiple biometric implementations can be deployed effectively; however, it is not the cure-all that it would seem to be at first glance.
* Using multifactor authentication. Ultimately, the use of multifactor authentication - using biometrics with smartcards, tokens, even passwords - reduces the convenience provided by biometric systems but reduces the likelihood of biometric systems being spoofed. An impostor would need both the token and/or the secret along with impostor data in order to defeat the system. In certain biometric systems - identification systems, for example - this is not viable.
Conclusion
Although much of the biometric industry must go back to the drawing board to devise legitimate liveness detection capabilities, the problem of liveness detection is unlikely to ever be fully addressed in biometric systems - nor does it need to be. To the degree that biometrics protect valuable goods or information, methods of defeating these biometric systems will be devised. The burden of intelligent, responsible system design now lay with biometric vendors, solution providers, and deployers to limit the risks posed by this vulnerability and to ensure that the further vulnerabilities - such as those related to replay attacks and fraudulent template generation - are addressed.
Instead of having done irreversible harm, one can argue that having liveness detection revealed as effectively nonexistent may in the long term prove beneficial to biometrics. The controversy over liveness detection may provide a strong impetus to address long-standing problems in the biometric industry such as closed technology implementations, unrealistic performance statements and lack of application specificity in biometric technology evaluations. The next vulnerability located in biometric systems may result in more than embarrassment: it may undermine deployers' confidence in biometrics as a viable solution for security, convenience or fraud deterrence.
In addition to our accuracy- and enrolment-focused Comparative Biometric Testing, International Biometric Group performs custom Vulnerability and Penetration Testing of biometric devices and systems. IBG evaluates resistance to spoof attacks, replay attacks, communication attacks and other attempts to defeat or circumvent biometric systems.
Source: International Biometric Group, http://www.biometricgroup.com/reports/public/reports/liveness.html
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version