Biometrics – Fingerprints

1. Brent Kennedy Biometrics – Fingerprints

2. Agenda • Overview • Security Issues • Usability Issues • Bring it all together • Discussion

3. What is a fingerprint? • Sequence of ridges and valleys • No two fingerprints can be exactly the same • Even two imprints from the same finger are different • Reliable and efficient biometric • Still are cons • Scanners work by imaging the print and using an algorithm to compare images http://denis.biometric-fingerprint.com/?cat=7 http://en.wikipedia.org/wiki/Fingerprint

4. Security Issues • Storage • How are the fingerprints stored? • Who can access them? • Privacy • Can fingerprints lead to more information? • Device • Is it susceptible to over the shoulder peeks? • Does it leave a trace? • Can it be spoofed?

5. >

6. Fingerprint Spoofing • Small experiment done at W&J College • January 2006 • Aimed to spoof fingerprints using common household items • Total Cost: $12.82 • Cast: • Play-Doh • Gummy bears • Model Magic • Silly Putty • Modeling clay • Tac N’ Stik • Mold: • Paraffin wax http://www.washjeff.edu/users/ahollandminkley/Biometric/index.html

7. Fingerprint Spoofing (Cont.) • Devices • Microsoft Fingerprint Reader • APC Biometric Security device

8. Fingerprint Spoofing (Cont.) • What failed… • One-step method of taking a print directly from the source (no cast) • Gummy bears: Myth busted! • Wouldn’t even hold a fingerprint • Tac N’ Stik worked too well • Picked up old prints from the scanner • Silly putty stuck to the device • Play-Doh was too soft to withstand pressure

9. Fingerprint Spoofing (Cont.) • Success! • Very soft piece of wax flattened against hard surface • Press the finger to be molded for 5 minutes • Transfer wax to freezer for 10-15 minutes • Firmly press modeling material into cast • Press against the fingerprint reader • Replicated several times

10. Fingerprint Spoofing (Cont.)

11. Fingerprint Spoofing (Cont.) • Modified approach on the APC device • Requires less pressure so Play-Doh can be used • Form the Play-Doh around the scanner surface • Then place the flat surface in the cast • More patience required to get authorized • After time, the mold becomes too soft to use

12. Fingerprint Spoofing (Cont.) • Caveats • Molding material becomes firm and brittle quickly • Hard to make a cast ahead of time • Very high quality mold is required • Attacker may need more advanced materials • All molds were of the thumb • Smaller prints may cause additional problems

13. Usability Issues • The main usability factors for fingerprints: • Scanner height/angle • Training conditions • Age • Habituation • Supervision

14. Usability Issues (Cont.) • Height/Angle • Efficiency (time) not significantly affected by height or angle • Quality significantly affected by height but not angle • Still hard to determine optimal height • Overall satisfaction affected by height, angle, and user height http://zing.ncsl.nist.gov/biousa/docs/NISTIR-7504%20height%20angle.pdf

15. Usability Issues (Cont.) • Age • 18-25 age range gave consistent good prints • Prints get worse as age increases • Men overall better than women • Habituation • No trend to print quality over time • Users didn’t know how to fix bad prints http://zing.ncsl.nist.gov/biousa/docs/WP302_Theofanos.pdf

16. Usability Issues (Cont.) • Training/Supervision • Poster had worst success rate: 56% • Verbal vs. video instruction had equal success • Assistance significantly increased success rate • 78% without assistance • 98% with assistance http://zing.ncsl.nist.gov/biousa/docs/NISTIR-7403-Ten-Print-Study-03052007.pdf

17. Bringing it all together… • Can better usability solve the spoofing problem? • It can help • Smaller scanning area • Slap vs. roll • Better algorithms with better feedback

18. Questions?