1、IBGs Fingerprint Industry Report Free White Papers compromise of a key does not collapse the whole infrastructure, but instead triggers revocation and reissuance processes that reinforce system integrity.The biometric industry will benefit from its proprietary design approaches being laid open for i
2、nspection, analysis, criticism, and improvement. This represents a fundamental shift away from the manner in which the industry operates: nearly the entirety of the biometric industry is at some point reliant on one or more secret whose exposure could compromise the technologys operation. The propri
3、etary and secret nature of liveness detection, and the unwillingness to have such methods held up for third-party inspection, analysis, and improvement, masked what seems to have been a nearly non-existent capability.Issue 2: Unrealistic Performance ClaimsPerhaps the most unfortunate aspect of the l
4、iveness issue is not that biometric systems can be defeated but that claims to liveness detection seem to have been greatly overstated if not completely misleading. Whether fairly or not, this calls into question the credibility of other commonly held biometric truths: that images cannot be recreate
5、d from templates, that matching algorithms are capable of extremely high levels of accuracy, and that a hacked biometric database cannot be used for privacy-invasive purposes.It is inevitable that companies, in an effort to differentiate their technology in a crowded market and with skeptical custom
6、er bases, will emphasize the conceptual strengths of a core technology. However, vendor claims of error rates in the range of one or two per million transactions can pose major risks and lead to extreme disillusionment on the part of deployers when errors do occur. It should be emphasized that the i
7、ndustry has improved substantially in this area, and that discussion of biometric accuracy and performance is much more realistic than was the case in the industrys infancy. However, the lack of realistic, independent, or relevant substantiation regarding performance claims represents a larger probl
8、em in the biometric industry than does liveness detection.Far from providing irrefutable authentication - as has occasionally been the claim of some biometric advocates - biometric systems provide (in most circumstances) a high but not absolute degree of identity certainty. Whether due to spoof atta
9、cks or false matches and non-matches, a biometric decision cannot be taken in and of itself as unassailable proof that an individual executed a transaction or entered a facility. Biometric systems err with some regularity, depending on how they are configured: this reality can either be discovered b
10、y end users in an operational environment, or can be recognized by the biometric industry as an issue, communicated to deployers and end users, and mitigated through careful system design.A major implication of susceptibility to spoof attacks, as well as to matching errors, is that biometric system
11、decisions cannot be taken as absolutely definitive verification or identification statements. Biometric match results may need to be weighed with other factors to enable decisions about access, accountability, and identity. In law enforcement and civil ID systems, biometric searches rely on human op
12、erators to execute final match - no match decisions; the automated component is designed to simplify, not eliminate, the human decision process. By contrast, biometric systems used for network access, physical access, or other transactional functions rely on template matching, a completely automated
13、 function - rarely is a human present to confirm the systems decision. Automated biometric matching is too new a discipline to have legal weight or to have objective, actionable levels of certainty associated with match decisions. In particular, as biometric systems are being proposed for such highl
14、y sensitive applications as passport bearer authentication and air travel, the decisions resulting from biometric matches may have severe consequences.The positioning of biometrics as an unassailable identification technology has always been incorrect - the susceptibility to spoofing merely draws an
15、other set of factors into play when executing biometric decisions.Issue 3: Reluctance to place biometric technology in the context of real-world applicationsEvaluating biometric technology requires an understanding of the application in which the technology is deployed. Liveness detection, for examp
16、le, is critical in some biometric applications, less relevant in others. At one extreme are facial-scan systems designed for 1:N duplicate detection in drivers license issuance. In these applications, individuals are enrolled and identified though static digital images; liveness detection is at odds
17、 with the systems basic operations. At another extreme are e-commerce implementations in which enrollment and verification are likely to be unsupervised and sanctions for misuse difficult to enforce.In biometric applications in which supervision is present when individuals are submitting biometric d
18、ata - as is typically the case in benefits issuance and large-scale identification - the likelihood of an individual spoofing the system is substantially reduced. It will generally be evident if an individual is producing a fake finger or utilizing a photograph for enrollment or during subsequent up
19、dates.Similarly, in most biometric systems, enrollment is a supervised event, being the point at which identity within the biometric system is established and at which high-quality biometric data must be acquired for ongoing use. This applies to enterprise biometric applications such as logical acce
20、ss to networks and physical access to controlled areas. When enrollment is supervised, the likelihood of an individual enrolling a sharable token as opposed to a biometric sample is substantially reduced. Therefore the inability to detect liveness may result in a latent fingerprint being used to gai
21、n fraudulent verification, but is unlikely to involve verification through a shared enrollment token.In certain biometric applications, primarily high-value or high-risk applications in which enrollment and verification are unsupervised, susceptibility to spoof attacks can be highly problematic. End
22、 users may be less willing to enroll in a system in which their account may be susceptible to attacks; deployers may be less willing to risk implementing a system whose authentication capabilities cannot be fully relied upon for decision-making. In these applications, there may be little or no abili
23、ty to apply a sanction for system misuse, such that individuals are not dissuaded from attempting spoof attacks. Resolving this problem may require a fundamental rethinking of how enrollment and verification take place in remote, unattended biometric systems; at the very least the risk assessment us
24、ed to determine whether biometrics are an effective solution must be rethought. A mitigating factor is that the use of biometrics in unattended enrollment and verification applications and in a non-sanctioned environment is still very rare. The industry will need to devise protections which limit th
25、e impact of the liveness problem before this type of application becomes commonplace.The importance of liveness detection can also vary according to the purpose for which the system is deployed. If an individual is motivated to avoid detection or establish multiple identities - as would be the case
26、during enrollment in a 1:N system for benefits issuance - then enrolling through fake fingerprints may allow an individual to create multiple identities within a system. However, If the individual is motivated to be verified successfully in the system, as would be the case in subsequent verification
27、 against ones existing enrollment, liveness is less of an issue: the primary motivation is to match his enrollment, not to subvert the system.Design Elements to Limit Impact of SpoofingSystem design decisions may be driven by a need to reduce susceptibility to spoof attacks. While design decisions a
28、re based on the specific needs of a biometric application, one can imagine utilization of the following protections:Randomization of verification data. If users are asked to enroll more than one biometric sample - for example, three fingerprints or two distinct voice patterns - the system may random
29、ize the biometric data it requests for verification, thereby slightly reducing the likelihood of spoofed data being usable for verification. Such as system may also require two fingerprints for verification, such that an imposter would have to locate two “target“ fingerprints with which to defeat th
30、e system.Retention of identifiable data. In most transactional biometric systems, identifiable data is destroyed immediately after template generation. Retaining image data, though posing substantial privacy and storage challenges, may provide a means of resolving spoof claims. In many cases spoofed
31、 biometric data will be evident upon inspection of the actual sample (inspecting the template, of course, would be useless). Retention of this data strengthens a systems audit trail, and forces imposter to crate data that looks like a biometric sample to the naked eye as well as to an extraction alg
32、orithm.Using multiple biometrics. Multiple biometric authentication is often proposed as a means of solving the liveness problem, as it is clearly much more difficult to spoof two biometrics in tandem or in sequence than to spoof one. However, implementing multiple biometrics is currently much more
33、difficult than it seems. Process flows for verification are generally not compatible with the provision of more than one biometric characteristic, due to environmental, cost, or equipment limitations. In certain environments, multiple biometric implementations can be deployed effectively; however, i
34、t is not the cure-all that it would seem to be at first glance.Using multi-factor authentication. Ultimately, the use of multi-factor authentication - using biometrics with smart cards, tokens, even passwords - reduces the convenience provided by biometric systems but reduces the likelihood of biome
35、tric systems being spoofed. An imposter would need both the token and/or the secret along with imposter data in order to defeat the system. In certain biometric systems - identification systems, for example - this is not viable.ConclusionAlthough much of the biometric industry must go back to the dr
36、awing board to devise legitimate liveness detection capabilities, the problem of liveness detection is unlikely to ever be fully addressed in biometric systems - nor does it need to be. To the degree that biometrics protect valuable goods or information, methods of defeating these biometric systems
37、will be devised. The burden of intelligent, responsible system design now lay with biometric vendors, solution providers, and deployers to limit the risks posed by this vulnerability and to ensure that the further vulnerabilities - such as those related to replay attacks and fraudulent template gene
38、ration - are addressed.Instead of having done irreversible harm, one can argue that having liveness detection revealed as effectively nonexistent may in the long term prove beneficial to biometrics. The controversy over liveness detection may provide a strong impetus to address long-standing problem
39、s in the biometric industry such as closed technology implementations, unrealistic performance statements, and lack of application specificity in biometric technology evaluations. The next vulnerability located in biometric systems may result in more than embarrassment: it may undermine deployers co
40、nfidence in biometrics as a viable solution for security, convenience, or fraud deterrence.Generating Images From TemplatesThe question of image recreation from templates is a complicated one. The industry has long held that one of the primary benefits from a security and privacy perspective is that
41、 the image (or, more broadly, identifiable data) cannot be recreated or regenerated from the template. Since images cannot be recreated, the logic goes, a hacked database cannot be used to manufacture a fingerprint or other biometric for hostile purposes such as placing a fingerprint at a crime scen
42、e or logging into a private network.However, a recent story from the Canberra Times (Australia) indicated that a student was able to access an unencrypted template, determine how the vendor encoded features, and rebuild an image that was capable of being fed into the system to gain access. This call
43、s into question claims regarding non-recreation of image data from templates, just as recent liveness reports call into question susceptibility to spoofing.As weve often seen in biometrics, what is positioned as a black and white issue - can templates be used to recreate images? - is more complicate
44、d than it appears. The short answer is that under certain circumstances it is very likely that some type of image or visual representation can be recreated from some, if not all, biometric templates. It seems that there is no conceptual impediment to some type of image recreation or, at least, some
45、type of meaningful analysis and representation of template data. Such recreation may be extremely difficult, may require access to highly confidential information, and in the end may have little to no negative impact on system security or personal privacy. However, biometric security may need to be
46、reconceived if it can be demonstrated that images are recreatable from templates.To frame the discussion:1. Templates are generated by algorithms which locate and encode distinctive features from an identifiable physiological or behavioral characteristic such as a fingerprint image. In todays biomet
47、ric industry, algorithms are proprietary to each vendor and in many cases represent key components of a vendors intellectual property. Templates vary widely from sample to sample, such that in theory only a vendor algorithm can determine whether two templates match.2. In order to analyze or reverse
48、engineer a template, one must have access to an unencrypted template. This would involve either defeating the encryption used to protect the template or attacking a biometric system which does not utilize encryption (most, but not all, biometric systems encrypt data at various stages of transmission
49、 and storage). So one assumes unfettered access to a biometric template stored in a database or intercepted in transmission.3. Vendors may mean different things when claiming that images cannot be regenerated from templates. There may be an inherent quality of their template generation algorithm that prevents images from being recreated. On the other hand, the secret nature of the algorithm may be the rationale for the inability to recreate images.4. An important question is “who is attempting to regenerate the image?“ The normal assumption is that an external agent is trying
