Biometric Spoofing

Fake fingerprints aren’t difficult to make, but they are difficult to use.

In biometric identification terminology, “spoofing” is the process of presenting a fake biometric (e.g. gummy fingerprint) to a system in order to gain access. I don’t often write about biometric spoofing because I personally find it one of the less interesting aspects of biometrics. I don’t mean to discount it as a problem, because it is a real vulnerability for biometric systems. It is just that it is often used as a way to say “biometric systems are useless because of spoofing”. I find this kind of argument annoying because every security system has vulnerabilities and those vulnerabilities don’t make the system useless. As a simple example, the vast majority of locks used on home and office doors can be easily picked, but we still use them. Risk management is about understanding risk and controlling them, not eliminating them.

A recent blog post hit two of my triggers — it claimed that without spoof protection biometrics are useless and one of my personal peeves about commercial blogs, namely the “without my company’s X, then Y is useless” The literal title was “Without Spoof-Proof Liveness, Biometrics Will Never Replace Passwords”. I find this wrong on many levels. First, the use of the word “never” in a technology sense is never a good idea (see what I did there?). There are certainly plenty of cases where a biometric is good enough. For example, my phone. I know a super-dedicated attacker might be able to spoof a fingerprint on my phone, but I am OK with that. It is a balance of convenience and security.

The blog also talks about the company’s use of ISO 30107, a standard dealing with biometric spoofing. Standards can be great to establish a common vocabulary and measurement approach. However, in the area of spoofing, a standard can (at best) only provide you with protection against well known attacks. At worst, it can give you a false sense of security.

A biometric system that is sensitive enough to need spoof protection is sensitive enough to need a second factor (e.g. PIN/password). Relying upon spoof protection is only going to protect you for a short while until new attacks are discovered. It will never be a perfect solution.


Originally published at www.tacticalinfosys.com.

)
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade